diff --git a/apps/authentik/authentik.yaml b/apps/authentik/authentik.yaml
index ce95942..4d54a87 100644
--- a/apps/authentik/authentik.yaml
+++ b/apps/authentik/authentik.yaml
@@ -286,22 +286,34 @@ spec:
               value: "false"
             - name: AUTHENTIK_LOG_LEVEL
               value: info
+          # First-boot Authentik can take 3+ min on the migration phase
+          # (waiting on DB lock while worker also runs migrations). Initial
+          # delays are generous so kubelet doesn't kill the pod mid-migration;
+          # periodSeconds keeps post-startup probing responsive.
           readinessProbe:
             httpGet:
               path: /-/health/ready/
               port: 9000
-            initialDelaySeconds: 30
+            initialDelaySeconds: 60
             periodSeconds: 10
             timeoutSeconds: 5
-            failureThreshold: 6
+            failureThreshold: 12
           livenessProbe:
             httpGet:
               path: /-/health/live/
               port: 9000
-            initialDelaySeconds: 60
+            initialDelaySeconds: 300
             periodSeconds: 30
             timeoutSeconds: 10
             failureThreshold: 3
+          startupProbe:
+            httpGet:
+              path: /-/health/live/
+              port: 9000
+            initialDelaySeconds: 30
+            periodSeconds: 15
+            timeoutSeconds: 10
+            failureThreshold: 40  # 30s + 40*15s = 10.5 min budget
           resources:
             requests: { cpu: 150m, memory: 512Mi }
             limits: { cpu: 1500m, memory: 1Gi }