Like I said. So even if someone find your domain to your jellyfin server they would only see Authentik.

And if you start with authentik you could use it for much more self hosted services so you have one big login page in front of your services.

You would have to exclude the */api/ path in the authentik provide settings, so that if something wants to call the jellyfin api (like Swiftfin) it can go around the sso. It’s not the best practice for security but the only working way I have found.

I would suggest to put it behind an sso service like a self hosted authelia or authentik. So even if someone finds your website they will only see your authentication page and not what’s behind it.