diff --git a/AUTH-PUBLIC-FRONTEND.md b/AUTH-PUBLIC-FRONTEND.md
index 13f3229..cac021e 100644
--- a/AUTH-PUBLIC-FRONTEND.md
+++ b/AUTH-PUBLIC-FRONTEND.md
@@ -682,3 +682,139 @@ Out of scope for this design, but noted for future:
 - Auth state detection
 - Conditional feature rendering
 - 401 handling
+
+
+---
+
+## Appendix C: Actual Caddy Configuration (2026-04-25)
+
+**SSH Access Path:** `ssh -J cortex root@192.168.1.101` or from cortex: `ssh ct101`
+
+### C.1 navi.echo6.co — Current Config
+
+```caddyfile
+navi.echo6.co {
+    tls /etc/caddy/certs/navi.echo6.co.fullchain.crt /etc/caddy/certs/navi.echo6.co.key
+
+    # Tiles: public, no auth, no encoding (PMTiles needs raw range responses)
+    handle /tiles/* {
+        reverse_proxy 100.64.0.24:8440
+    }
+
+    # Everything else: Authentik forward auth
+    handle {
+        forward_auth https://auth.echo6.co {
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid
+            header_up Host auth.echo6.co
+            trusted_proxies private_ranges
+        }
+        reverse_proxy 100.64.0.24:8440
+    }
+}
+```
+
+**Key Observations:**
+- **Port 8440** — Navi uses a SEPARATE service from RECON (8420)
+- **`/tiles/*` already public** — Map tiles bypass auth
+- **All other paths gated** — Full forward_auth to Authentik
+- **Headers copied:** Username, Groups, Email, Name, Uid
+
+### C.2 recon.echo6.co — Current Config
+
+```caddyfile
+recon.echo6.co {
+    tls /etc/caddy/certs/recon.echo6.co.fullchain.crt /etc/caddy/certs/recon.echo6.co.key
+    forward_auth https://auth.echo6.co {
+        uri /outpost.goauthentik.io/auth/caddy
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid
+        header_up Host auth.echo6.co
+        trusted_proxies private_ranges
+    }
+    reverse_proxy 100.64.0.24:8420
+}
+```
+
+**Key Observations:**
+- **Port 8420** — RECON dashboard/API
+- **Full forward_auth** — No public exceptions
+- **Same Authentik headers** as navi
+
+### C.3 wiki.echo6.co — Current Config (for reference)
+
+```caddyfile
+wiki.echo6.co {
+    tls /etc/caddy/certs/wiki.echo6.co.fullchain.crt /etc/caddy/certs/wiki.echo6.co.key
+    forward_auth https://auth.echo6.co {
+        uri /outpost.goauthentik.io/auth/caddy
+        copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid
+        header_up Host auth.echo6.co
+        trusted_proxies private_ranges
+    }
+    reverse_proxy 100.64.0.24:8430 {
+        header_down -Content-Security-Policy
+    }
+}
+```
+
+### C.4 Implications for Design
+
+1. **Port Correction:** The design doc Section 4 needs to use port **8440** for navi.echo6.co, not 8420.
+
+2. **Existing Public Path:** `/tiles/*` is already public — can use same pattern for API routes.
+
+3. **Separate Services:** navi.echo6.co (8440) and recon.echo6.co (8420) are different backends:
+   - If navi frontend needs RECON API routes, those would need to be either:
+     a. Exposed on 8440 as well, OR
+     b. Proxied from navi to recon internally, OR
+     c. Frontend calls recon.echo6.co directly (cross-origin)
+
+4. **Updated Caddy Proposal:** To add public API routes to navi.echo6.co:
+
+```caddyfile
+navi.echo6.co {
+    tls /etc/caddy/certs/navi.echo6.co.fullchain.crt /etc/caddy/certs/navi.echo6.co.key
+
+    # Tiles: public (existing)
+    handle /tiles/* {
+        reverse_proxy 100.64.0.24:8440
+    }
+
+    # Public API routes - geocoding, place lookup, etc.
+    @public_api path /api/geocode* /api/reverse* /api/address_book/* /api/netsyms/* /api/place/* /api/landclass* /api/config* /api/health* /api/kiwix/sources* /api/search /api/whoami
+    handle @public_api {
+        reverse_proxy 100.64.0.24:8440
+    }
+
+    # Auth-required API routes
+    @authed_api path /api/contacts/* /api/keys/* /api/nav-i/* /api/traffic/* /api/upload* /api/ingest* /api/crawl* /api/service/* /api/cookies/* /api/vpn/* /api/peertube/channels/add /api/kiwix/toggle* /api/kiwix/trigger* /api/kiwix/upload /api/kiwix/remove* /api/scraper/submit /api/scraper/cancel/* /api/scraper/retry/* /api/scraper/delete/* /api/scraper/clear*
+    handle @authed_api {
+        forward_auth https://auth.echo6.co {
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid
+            header_up Host auth.echo6.co
+            trusted_proxies private_ranges
+        }
+        reverse_proxy 100.64.0.24:8440
+    }
+
+    # Default: auth for everything else (pages, etc.)
+    handle {
+        forward_auth https://auth.echo6.co {
+            uri /outpost.goauthentik.io/auth/caddy
+            copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid
+            header_up Host auth.echo6.co
+            trusted_proxies private_ranges
+        }
+        reverse_proxy 100.64.0.24:8440
+    }
+}
+```
+
+### C.5 Open Question Resolved
+
+**Q1 from Section 11 is now answered:**
+- SSH path: `ssh -J cortex root@192.168.1.101` (or `ssh ct101` from cortex)
+- CT 101 IP: 192.168.1.101 (local) / 100.64.0.8 (Tailscale)
+- Caddy config location: `/etc/caddy/Caddyfile`
+- Keys authorized: cortex, toc