diff --git a/docker-compose.yml b/docker-compose.yml
index 59f201a..c76945a 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -65,19 +65,21 @@ services:
       - traefik.docker.network=principal
       - traefik.http.services.evolution-api.loadbalancer.server.port=8080
 
-      # Router: Manager UI protegido con Authentik
-      - traefik.http.routers.evolution-ui.rule=Host(`${APP_DOMAIN}`) && PathPrefix(`/manager`)
+      # Router: Manager UI protegido con Authentik (incluye rutas de callback)
+      - traefik.http.routers.evolution-ui.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manager`) || PathPrefix(`/outpost.goauthentik.io`))
       - traefik.http.routers.evolution-ui.entrypoints=websecure
       - traefik.http.routers.evolution-ui.tls.certresolver=letsencrypt
       - traefik.http.routers.evolution-ui.service=evolution-api
       - traefik.http.routers.evolution-ui.middlewares=authentik-forward-auth@file,evolution-headers
+      - traefik.http.routers.evolution-ui.priority=100
 
       # Router: API endpoints (autenticación por API Key, sin Authentik)
-      - traefik.http.routers.evolution-api.rule=Host(`${APP_DOMAIN}`)
+      - traefik.http.routers.evolution-api.rule=Host(`${APP_DOMAIN}`) && !PathPrefix(`/outpost.goauthentik.io`) && !PathPrefix(`/manager`)
       - traefik.http.routers.evolution-api.entrypoints=websecure
       - traefik.http.routers.evolution-api.tls.certresolver=letsencrypt
       - traefik.http.routers.evolution-api.service=evolution-api
       - traefik.http.routers.evolution-api.middlewares=evolution-headers
+      - traefik.http.routers.evolution-api.priority=10
 
       # Middleware: Headers
       - traefik.http.middlewares.evolution-headers.headers.customrequestheaders.X-Forwarded-Proto=https