diff --git a/modules/infrastructure/variables.tf b/modules/infrastructure/variables.tf
index 9252827..31821ab 100644
--- a/modules/infrastructure/variables.tf
+++ b/modules/infrastructure/variables.tf
@@ -88,6 +88,7 @@ variable "services" {
     })))
     ports = optional(list(string))
     auth = bool
+    auth_cert = optional(string)
     auth_redirects = optional(list(string))
     s3 = bool
     database = bool
diff --git a/modules/services/authentik.tf b/modules/services/authentik.tf
index 63bc0e7..ea784c4 100644
--- a/modules/services/authentik.tf
+++ b/modules/services/authentik.tf
@@ -2,10 +2,14 @@ data "authentik_flow" "default_authorization_flow" {
   slug = "default-provider-authorization-implicit-consent"
 }
 
-data "authentik_certificate_key_pair" "default" {
+data "authentik_certificate_key_pair" "ecdsa" {
   name = "auth.serguzim.me"
 }
 
+data "authentik_certificate_key_pair" "rsa" {
+  name = "authentik Self-signed Certificate"
+}
+
 data "authentik_property_mapping_provider_scope" "default_scopes" {
   managed_list = [
     "goauthentik.io/providers/oauth2/scope-email",
@@ -58,7 +62,9 @@ resource "authentik_provider_oauth2" "service_providers" {
       data.authentik_property_mapping_provider_scope.default_scopes.ids,
       each.key == "minio" ? [authentik_property_mapping_provider_scope.minio.id] : []
   ])
-  signing_key        = data.authentik_certificate_key_pair.default.id
+  signing_key        = (each.value.auth_cert == "rsa" ?
+      data.authentik_certificate_key_pair.rsa.id :
+      data.authentik_certificate_key_pair.ecdsa.id)
 }
 
 resource "authentik_application" "service_applications" {
diff --git a/modules/services/output.tf b/modules/services/output.tf
index eeee49b..14edcb8 100644
--- a/modules/services/output.tf
+++ b/modules/services/output.tf
@@ -1,7 +1,7 @@
 output "authentik_data" {
   value = {
     for key in keys(authentik_application.service_applications) : key => {
-      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}/"
+      "base_url"      = "${var.authentik_url}/application/o/${authentik_application.service_applications[key].slug}"
       "client_id"     = authentik_provider_oauth2.service_providers[key].client_id
       "client_secret" = authentik_provider_oauth2.service_providers[key].client_secret
     }
diff --git a/modules/services/variables.tf b/modules/services/variables.tf
index faa5db9..eca2500 100644
--- a/modules/services/variables.tf
+++ b/modules/services/variables.tf
@@ -37,6 +37,7 @@ variable "services" {
     })))
     ports = optional(list(string))
     auth = bool
+    auth_cert = optional(string)
     auth_redirects = optional(list(string))
     s3 = bool
     database = bool
diff --git a/roles/gatus/vars/main.yml b/roles/gatus/vars/main.yml
index df8b11c..f425c00 100644
--- a/roles/gatus/vars/main.yml
+++ b/roles/gatus/vars/main.yml
@@ -47,7 +47,7 @@ gatus_yml:
 
   security:
     oidc:
-      issuer-url: "{{ opentofu.authentik_data.gatus.base_url }}"
+      issuer-url: "{{ opentofu.authentik_data.gatus.base_url }}/"
       redirect-url: "https://{{ gatus_svc.domain }}/authorization-code/callback"
       client-id: "{{ opentofu.authentik_data.gatus.client_id }}"
       client-secret: "{{ opentofu.authentik_data.gatus.client_secret }}"
diff --git a/roles/linkwarden/vars/main.yml b/roles/linkwarden/vars/main.yml
index fe9ed5e..8df1e66 100644
--- a/roles/linkwarden/vars/main.yml
+++ b/roles/linkwarden/vars/main.yml
@@ -27,8 +27,8 @@ linkwarden_env:
   SPACES_FORCE_PATH_STYLE: false
 
   NEXT_PUBLIC_DISABLE_REGISTRATION: true
-  NEXT_PUBLIC_CREDENTIALS_ENABLED: true
-  NEXT_PUBLIC_AUTHENTIK_ENABLED: false
+  NEXT_PUBLIC_CREDENTIALS_ENABLED: false
+  NEXT_PUBLIC_AUTHENTIK_ENABLED: true
   AUTHENTIK_CUSTOM_NAME: auth.serguzim.me
   AUTHENTIK_ISSUER: "{{ opentofu.authentik_data.linkwarden.base_url }}"
   AUTHENTIK_CLIENT_ID: "{{ opentofu.authentik_data.linkwarden.client_id }}"
diff --git a/roles/vikunja/vars/main.yml b/roles/vikunja/vars/main.yml
index 394fa16..db2bc27 100644
--- a/roles/vikunja/vars/main.yml
+++ b/roles/vikunja/vars/main.yml
@@ -40,7 +40,7 @@ vikunja_yml:
       enabled: true
       providers:
         - name: auth.serguzim.me
-          authurl: "{{ opentofu.authentik_data.vikunja.base_url }}"
+          authurl: "{{ opentofu.authentik_data.vikunja.base_url }}/"
           logouturl: "{{ (opentofu.authentik_data.vikunja.base_url, 'end-session') | path_join }}"
           clientid: "{{ opentofu.authentik_data.vikunja.client_id }}"
           clientsecret: "{{ opentofu.authentik_data.vikunja.client_secret }}"
diff --git a/services.auto.tfvars b/services.auto.tfvars
index 3d76288..6e58d1c 100644
--- a/services.auto.tfvars
+++ b/services.auto.tfvars
@@ -233,6 +233,7 @@ services = {
       group = "4-services"
     }
     auth = true
+    auth_cert = "rsa"
     auth_redirects = ["https://bookmarks.serguzim.me/api/v1/auth/callback/authentik"]
     database = true
     s3 = true
diff --git a/variables.tf b/variables.tf
index a6495e1..c3fcffd 100644
--- a/variables.tf
+++ b/variables.tf
@@ -144,6 +144,7 @@ variable "services" {
     }))
     ports = optional(list(string))
     auth = bool
+    auth_cert = optional(string)
     auth_redirects = optional(list(string))
     s3 = bool
     database = bool