diff --git a/containers/authentik/api-go-vendor-hook.nix b/containers/authentik/api-go-vendor-hook.nix
new file mode 100644
index 0000000..3c7e9d6
--- /dev/null
+++ b/containers/authentik/api-go-vendor-hook.nix
@@ -0,0 +1,28 @@
+# Setup hook that injects generated Go API client into the vendor directory
+# Replaces vendor/goauthentik.io/api/v3/ with freshly generated client-go output
+# Skips during FOD (fixed-output derivation) builds to keep vendorHash stable
+{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:
+
+let
+  client-go = import ./client-go.nix { inherit pkgs sources; };
+in
+pkgs.makeSetupHook
+  {
+    name = "authentik-api-go-vendor-hook";
+  }
+  (
+    pkgs.writeShellScript "authentik-api-go-vendor-hook" ''
+      authentikApiGoVendorHook() {
+        chmod -R +w vendor/goauthentik.io/api
+        rm -rf vendor/goauthentik.io/api/v3
+        cp -r ${client-go} vendor/goauthentik.io/api/v3
+
+        echo "Finished authentikApiGoVendorHook"
+      }
+
+      # don't run for FOD, e.g. the goModules build
+      if [ -z ''${outputHash-} ]; then
+        postConfigureHooks+=(authentikApiGoVendorHook)
+      fi
+    ''
+  )
diff --git a/containers/authentik/client-go.nix b/containers/authentik/client-go.nix
new file mode 100644
index 0000000..5b8911d
--- /dev/null
+++ b/containers/authentik/client-go.nix
@@ -0,0 +1,47 @@
+# Generate Go API client bindings from authentik's OpenAPI schema
+# Uses openapi-generator-cli to produce Go code from schema.yml
+{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:
+
+pkgs.stdenvNoCC.mkDerivation {
+  pname = "authentik-client-go";
+  version = "3.${sources.version}";
+  inherit (sources) meta;
+
+  src = sources.client-go-src;
+
+  # Docker volume path /local → local pwd
+  postPatch = ''
+    substituteInPlace ./config.yaml \
+      --replace-fail '/local' "$(pwd)"
+  '';
+
+  nativeBuildInputs = with pkgs; [
+    openapi-generator-cli
+    go
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    openapi-generator-cli generate \
+      -i ${sources.src}/schema.yml -o $out \
+      -g go \
+      -c ./config.yaml
+
+    gofmt -w $out
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    cp go.mod go.sum $out
+
+    cd $out
+    rm -rf test
+    rm -f .travis.yml git_push.sh
+
+    runHook postInstall
+  '';
+}
diff --git a/containers/authentik/client-ts.nix b/containers/authentik/client-ts.nix
new file mode 100644
index 0000000..8ad395b
--- /dev/null
+++ b/containers/authentik/client-ts.nix
@@ -0,0 +1,36 @@
+# Generate TypeScript fetch client bindings from authentik's OpenAPI schema
+# Uses openapi-generator-cli to produce TypeScript code, then compiles with tsc
+{ pkgs ? import <nixpkgs> { }, sources ? import ./sources.nix { inherit pkgs; } }:
+
+pkgs.stdenvNoCC.mkDerivation {
+  pname = "authentik-client-ts";
+  inherit (sources) version src meta;
+
+  # Docker volume path /local → local pwd
+  postPatch = ''
+    substituteInPlace ./scripts/api/ts-config.yaml \
+      --replace-fail '/local' "$(pwd)"
+  '';
+
+  nativeBuildInputs = with pkgs; [
+    nodejs
+    openapi-generator-cli
+    typescript
+  ];
+
+  buildPhase = ''
+    runHook preBuild
+
+    openapi-generator-cli generate \
+      -i ./schema.yml -o $out \
+      -g typescript-fetch \
+      -c ./scripts/api/ts-config.yaml \
+      --additional-properties=npmVersion=${sources.version} \
+      --git-repo-id authentik --git-user-id goauthentik
+
+    cd $out
+    npm run build
+
+    runHook postBuild
+  '';
+}
diff --git a/containers/authentik/sources.nix b/containers/authentik/sources.nix
new file mode 100644
index 0000000..9134fa8
--- /dev/null
+++ b/containers/authentik/sources.nix
@@ -0,0 +1,30 @@
+# Centralized version and source pinning for authentik 2026.2.0
+# All sources fetched from forge mirrors for supply chain control
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "2026.2.0";
+in
+{
+  inherit version;
+
+  # Main authentik repo — provides schema.yml, Python backend, web UI, Go server
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/authentik.git";
+    rev = "version/${version}";
+    hash = "sha256-pVQ34cZYX3hlk6hF1aZ/n32xMqTF4Jmp0G0VGDU7iXc=";
+  };
+
+  # Go API client repo — provides config.yaml, go.mod, go.sum, templates
+  client-go-src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/authentik-client-go.git";
+    rev = "v3.${version}";
+    hash = "sha256-DwXw/0QcSDYQKVhPA8tStrSoZooriQex/9FxSJtR/QY=";
+  };
+
+  meta = with pkgs.lib; {
+    description = "Authentik identity provider";
+    homepage = "https://goauthentik.io";
+    license = licenses.mit;
+  };
+}
diff --git a/docs/how-to/authentik/mirror-authentik-build-deps.md b/docs/how-to/authentik/mirror-authentik-build-deps.md
index c45fbfc..e4cf806 100644
--- a/docs/how-to/authentik/mirror-authentik-build-deps.md
+++ b/docs/how-to/authentik/mirror-authentik-build-deps.md
@@ -1,7 +1,6 @@
 ---
 title: Mirror Authentik Build Dependencies
 modified: 2026-02-28
-status: active
 tags:
   - how-to
   - authentik