diff --git a/security/authelia/configuration.yml b/security/authelia/configuration.yml
index 1ae74b4..844e9a5 100644
--- a/security/authelia/configuration.yml
+++ b/security/authelia/configuration.yml
@@ -47,9 +47,12 @@ access_control:
         - uptime.kaleschke.info
         - files.kaleschke.info
         - scrutiny.kaleschke.info
-        - beszel.kaleschke.info
       policy: two_factor
 
+    # Beszel → OIDC-Login (kein ForwardAuth)
+    - domain: beszel.kaleschke.info
+      policy: bypass
+
     # Alles andere — 1FA
     - domain: "*.kaleschke.info"
       policy: one_factor
@@ -91,4 +94,26 @@ notifier:
 totp:
   issuer: kaleschke.info
   period: 30
-  skew: 1
\ No newline at end of file
+  skew: 1
+
+identity_providers:
+  oidc:
+    clients:
+      - client_id: 'beszel'
+        client_name: 'Beszel'
+        client_secret: '$argon2id$v=19$m=65536,t=3,p=4$bXTt49iW61s0c8/ZiBlguw$VquorRqL134mjQ6Qa13JY6AI/QCwdk7g1jpc/UtRZPQ'
+        public: false
+        authorization_policy: 'two_factor'
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris:
+          - 'https://beszel.kaleschke.info/api/oauth2-redirect'
+        scopes:
+          - 'openid'
+          - 'email'
+          - 'profile'
+        response_types:
+          - 'code'
+        grant_types:
+          - 'authorization_code'
+        token_endpoint_auth_method: 'client_secret_basic'