diff --git a/docs/how-to/authentik/authentik-api-client-generation.md b/docs/how-to/authentik/authentik-api-client-generation.md
index 1624f72..f08b712 100644
--- a/docs/how-to/authentik/authentik-api-client-generation.md
+++ b/docs/how-to/authentik/authentik-api-client-generation.md
@@ -1,7 +1,6 @@
 ---
 title: Generate Authentik API Clients
 modified: 2026-02-28
-status: active
 tags:
   - how-to
   - authentik
@@ -30,7 +29,22 @@ Both clients are generated from the same `schema.yml` OpenAPI spec in the main a
 - Source spec: `schema.yml` in the authentik repo root
 - Go client replaces `vendor/goauthentik.io/api/v3/` in the server build
 - TypeScript client replaces `web/node_modules/@goauthentik/api/` in the web UI build
-- The nixpkgs derivation patches the generated Go client (`client-go-config.patch`) — check if still needed
+- The `client-go-config.patch` adds `disallowAdditionalPropertiesIfNotPresent: false` to the OpenAPI generator config — still needed as of 2025.12.4
+
+## What We Learned
+
+- The Go client source comes from `goauthentik/client-go` (separate repo), not the main authentik repo. It contains `schema.yml`, `config.yaml`, `go.mod`, and `go.sum`.
+- The TypeScript client uses the main authentik source's `schema.yml` and `scripts/api/ts-config.yaml`.
+- The `apiGoVendorHook` must skip itself during FOD builds (checking `$outputHash`) so the Go `vendorHash` only depends on `go.sum`, not generated client content.
+- Both clients build cleanly on nixos-25.11 with `openapi-generator-cli` 7.17.0.
+
+## Files
+
+- `containers/authentik/client-go.nix` — Go client derivation
+- `containers/authentik/client-ts.nix` — TypeScript client derivation
+- `containers/authentik/api-go-vendor-hook.nix` — Go vendor injection hook
+- `containers/authentik/client-go-config.patch` — OpenAPI generator config patch
+- `containers/authentik/source.nix` — Shared version and source fetch
 
 ## Related