diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf
index e0d77f4b..147d39ea 100644
--- a/stacks/actualbudget/factory/main.tf
+++ b/stacks/actualbudget/factory/main.tf
@@ -155,8 +155,11 @@ resource "kubernetes_service" "actualbudget" {
 }
 
 module "ingress" {
-  source            = "../../../modules/kubernetes/ingress_factory"
-  auth              = "required"
+  source = "../../../modules/kubernetes/ingress_factory"
+  # auth = "none": Actual Budget enforces a server password + per-user login
+  # on its own sync API. Authentik forward-auth was 302-ing the mobile/web
+  # sync clients; Actual's own auth gates users.
+  auth              = "none"
   namespace         = "actualbudget"
   name              = "budget-${var.name}"
   tls_secret_name   = var.tls_secret_name
diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf
index e36bf04a..055924b6 100644
--- a/stacks/affine/main.tf
+++ b/stacks/affine/main.tf
@@ -358,8 +358,11 @@ resource "kubernetes_service" "affine" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": AFFiNE has its own workspace auth + bearer-token API
+  # used by desktop/mobile sync clients. Authentik forward-auth was 302-ing
+  # those API callers; AFFiNE's own auth gates users.
+  auth            = "none"
   dns_type        = "non-proxied"
   namespace       = kubernetes_namespace.affine.metadata[0].name
   name            = "affine"
diff --git a/stacks/ebooks/main.tf b/stacks/ebooks/main.tf
index 23810911..29a6dd63 100644
--- a/stacks/ebooks/main.tf
+++ b/stacks/ebooks/main.tf
@@ -661,8 +661,11 @@ resource "kubernetes_service" "audiobookshelf" {
 }
 
 module "audiobookshelf_ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Audiobookshelf has its own user/password login + API
+  # tokens used by the iOS/Android Audiobookshelf app. Authentik forward-auth
+  # was 302-ing the mobile clients; ABS's own auth gates users.
+  auth            = "none"
   dns_type        = "non-proxied"
   namespace       = kubernetes_namespace.ebooks.metadata[0].name
   name            = "audiobookshelf"
diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf
index 6544f782..8b40b9cd 100644
--- a/stacks/freshrss/main.tf
+++ b/stacks/freshrss/main.tf
@@ -228,8 +228,11 @@ resource "kubernetes_service" "freshrss" {
   }
 }
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": FreshRSS has built-in user login and exposes Fever +
+  # GReader APIs (/api/fever.php, /api/greader.php) used by mobile RSS
+  # readers like Reeder/FeedMe. Authentik forward-auth was 302-ing those.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = "freshrss"
   name            = "rss"
diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf
index 3389e47c..a50d3641 100644
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@@ -737,8 +737,11 @@ resource "kubernetes_service" "immich-machine-learning" {
 }
 
 module "ingress-immich" {
-  source                  = "../../modules/kubernetes/ingress_factory"
-  auth                    = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Immich has its own user auth + bearer-token API. Authentik
+  # forward-auth on `/api/*` was 302-ing the iOS/Android Immich app and any
+  # external API consumer. App-level auth is the gate now.
+  auth                    = "none"
   dns_type                = "non-proxied"
   namespace               = kubernetes_namespace.immich.metadata[0].name
   name                    = "immich"
diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf
index eb9e834a..0cd201ef 100644
--- a/stacks/linkwarden/main.tf
+++ b/stacks/linkwarden/main.tf
@@ -228,8 +228,11 @@ resource "kubernetes_service" "linkwarden" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Linkwarden uses NextAuth (NEXTAUTH_SECRET/URL set above)
+  # and exposes /api/* for its mobile clients. Authentik forward-auth would
+  # 302 those callers; app-level NextAuth gates users.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.linkwarden.metadata[0].name
   name            = "linkwarden"
diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf
index 647711f2..e265431b 100644
--- a/stacks/tandoor/main.tf
+++ b/stacks/tandoor/main.tf
@@ -258,8 +258,11 @@ resource "kubernetes_service" "tandoor" {
 }
 
 module "ingress" {
-  source          = "../../modules/kubernetes/ingress_factory"
-  auth            = "required"
+  source = "../../modules/kubernetes/ingress_factory"
+  # auth = "none": Tandoor uses Django auth (SECRET_KEY set above) and exposes
+  # /api/* with token auth for its mobile clients. Authentik forward-auth was
+  # 302-ing those callers; Django session/token auth gates users.
+  auth            = "none"
   dns_type        = "proxied"
   namespace       = kubernetes_namespace.tandoor.metadata[0].name
   name            = "tandoor"