diff --git a/nodes/heimdall/ntfy/compose.yaml b/nodes/heimdall/ntfy/compose.yaml
index ef74e9d..385c59b 100644
--- a/nodes/heimdall/ntfy/compose.yaml
+++ b/nodes/heimdall/ntfy/compose.yaml
@@ -8,17 +8,26 @@ services:
       - serve
     volumes:
       - /mnt/appdata/ntfy/data:/var/lib/ntfy
-      - /mnt/appdata/ntfy/server.yml:/etc/ntfy/server.yml:ro
     networks:
       - proxy-net
     labels:
       - "traefik.enable=true"
+      # Web UI — protected by Authentik
       - "traefik.http.routers.ntfy.rule=Host(`ntfy.castaldifamily.com`)"
       - "traefik.http.routers.ntfy.entrypoints=websecure"
       - "traefik.http.routers.ntfy.tls=true"
       - "traefik.http.routers.ntfy.tls.certresolver=cloudflare"
+      - "traefik.http.routers.ntfy.middlewares=authentik-auth@file"
+      - "traefik.http.routers.ntfy.service=ntfy"
+      - "traefik.http.routers.ntfy.priority=1"
+      # Publish endpoint — POST only, no auth, validated by Ntfy access token
+      - "traefik.http.routers.ntfy-publish.rule=Host(`ntfy.castaldifamily.com`) && Method(`POST`)"
+      - "traefik.http.routers.ntfy-publish.entrypoints=websecure"
+      - "traefik.http.routers.ntfy-publish.tls=true"
+      - "traefik.http.routers.ntfy-publish.tls.certresolver=cloudflare"
+      - "traefik.http.routers.ntfy-publish.service=ntfy"
+      - "traefik.http.routers.ntfy-publish.priority=10"
       - "traefik.http.services.ntfy.loadbalancer.server.port=80"
-
 networks:
   proxy-net:
     external: true