I am not sure how it works with authentik and the navidrome mobile apps, but I with Authelia and Immich, I basically had to add a header bypass to the traefik config and in the immich mobile app, maybe something similar is possible?

I have mine only internal so i haven’t ran into that. But check console. You mention mobile so if you’re on android you can hook it up to your pc and use debugging through chrome.. In the past I’ve had success looking at error messages to see why my requests were failing. Usually because i wasn’t passing headers correctly.

I use symfonium and it looks like it let’s you pass custom headers if needed. Good luck

Here’s my config for Authelia, maybe it helps:

    - domain: music.server.home
      policy: bypass
      resources:
        - '^/rest.*'
        - '^/api.*'
    - domain: music.server.home
      policy: one_factor

In the end, when I was setting it up, I realized that the only apps I use to connect and listen are using the rest API and I never got that one to work when I was setting it up. I had to bypass rest API endpoints like other poster here and create internal users in navidrome to keep some kind of security.

I would love someone posting up to date guide how to do it properly.

In the end problem was with the Subsonic Api and and the fact that I did not know how to implement subsonic authentication scheme on my proxy (caddy).

www.navidrome.org/docs/usage/reverse-proxy/