diff --git a/internal/outpost/proxy/api_bundle.go b/internal/outpost/proxy/api_bundle.go
index 324801009..3079fff74 100644
--- a/internal/outpost/proxy/api_bundle.go
+++ b/internal/outpost/proxy/api_bundle.go
@@ -25,6 +25,7 @@ type providerBundle struct {
 	Host  string
 
 	endSessionUrl string
+	Mode          *api.ProxyMode
 
 	cert *tls.Certificate
 
@@ -49,6 +50,10 @@ func (pb *providerBundle) replaceLocal(url string) string {
 }
 
 func (pb *providerBundle) prepareOpts(provider api.ProxyOutpostConfig) *options.Options {
+	// We need to save the mode in the bundle
+	// Since for the embedded outpost we only switch for fully proxy providers
+	pb.Mode = provider.Mode
+
 	externalHost, err := url.Parse(provider.ExternalHost)
 	if err != nil {
 		log.WithError(err).Warning("Failed to parse URL, skipping provider")
diff --git a/internal/web/web_proxy.go b/internal/web/web_proxy.go
index a6a51425b..101798569 100644
--- a/internal/web/web_proxy.go
+++ b/internal/web/web_proxy.go
@@ -6,6 +6,7 @@ import (
 	"net/http/httputil"
 	"net/url"
 
+	"goauthentik.io/api"
 	"goauthentik.io/internal/utils/web"
 )
 
@@ -36,10 +37,12 @@ func (ws *WebServer) configureProxy() {
 	ws.m.PathPrefix("/").HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		host := web.GetHost(r)
 		if ws.ProxyServer != nil {
-			if _, ok := ws.ProxyServer.Handlers[host]; ok {
-				ws.log.WithField("host", host).Trace("routing to proxy outpost")
-				ws.ProxyServer.Handler(rw, r)
-				return
+			if p, ok := ws.ProxyServer.Handlers[host]; ok {
+				if *p.Mode == api.PROXYMODE_PROXY {
+					ws.log.WithField("host", host).Trace("routing to proxy outpost")
+					ws.ProxyServer.Handler(rw, r)
+					return
+				}
 			}
 		}
 		ws.log.WithField("host", host).Trace("routing to application server")