diff --git a/website/docs/outposts/embedded/embedded.md b/website/docs/outposts/embedded/embedded.md
new file mode 100644
index 000000000..c3d22d370
--- /dev/null
+++ b/website/docs/outposts/embedded/embedded.md
@@ -0,0 +1,43 @@
+---
+title: Embedded Outpost
+---
+
+Starting with 2021.8.1, authentik comes with an embedded outpost. This has been added to simplify deployment for users using the Proxy provider.
+
+The embedded outpost is ran in the main `server` container, and is managed by authentik itself. The embedded outpost authenticates itself via the secret key.
+
+You can access the embedded outpost on the same ports as authentik itself, 9000 and 9443.
+
+The embedded outpost cannot be disabled, if it doesn't make sense to use in your deployment you can simply ignore it.
+
+### Configuration
+
+Since the outpost uses OAuth2, there is some configuration required.
+
+On a fresh authentik install, your Outpost list will look like this:
+
+![](./stock.png)
+
+Click the edit button on the right of the colum, and set the value of `authentik_host` to the URL you want to login with.
+Make sure to set it to full URL, only configuring a hostname or FQDN will not work.
+
+### Routing
+
+Routing is handled like this:
+
+1. Paths starting with `/static`, `/media` and `/help` return packaged CSS/JS files, and user-uploaded media files.
+2. Paths starting with `/akprox` are sent to the embedded outpost.
+3. Any hosts configured in the providers assigned to the embedded outpost are sent to the outpost.
+4. Everything remaining is sent to the authentik backend server.
+
+### Differences
+
+There are a few more differences between managed outposts and the embedded outpost, mainly due to the fact that authentik can't fully manage the containers.
+
+1. (Docker-only) No automatic traefik labels are added to the server container.
+
+    When you deploy a managed outpost on docker, the container has several labels to automatically configure traefik. This is not done for the embedded outpost.
+
+2. (Kubernetes-only) An additional service is created.
+
+    Since authentik does not know what the normal authentik Service is called, another one is created with a common set of labels that is always set.
diff --git a/website/docs/outposts/embedded/stock.png b/website/docs/outposts/embedded/stock.png
new file mode 100644
index 000000000..b1f194633
Binary files /dev/null and b/website/docs/outposts/embedded/stock.png differ
diff --git a/website/sidebars.js b/website/sidebars.js
index 5dfa06d75..af79b26c0 100644
--- a/website/sidebars.js
+++ b/website/sidebars.js
@@ -43,13 +43,14 @@ module.exports = {
             label: "Outposts",
             items: [
                 "outposts/outposts",
+                "outposts/embedded/embedded",
                 {
                     type: "category",
                     label: "Running and upgrading",
                     items: [
-                        "outposts/upgrading",
                         "outposts/manual-deploy-docker-compose",
                         "outposts/manual-deploy-kubernetes",
+                        "outposts/upgrading",
                     ],
                 },
             ],