Is it possible with Authentik to secure an app on a local network without using a domain name? In other words, using the app's existing IP address and port only.

I have OliveTin setup to run scripts locally on my media server, makes managing things much easier. OliveTin does not have native authentication. I run a Pi-hole instance on the same network. I CAN set this up with a domain by setting up a local DNS CNAME entry in Pi-hole, and this works to secure the app when it's behind a domain name with Authentik (i.e. olivetin.local). The issue is that the application is still accessible via direct IP and I don't want family members able to run scripts as root on my media server. Is this possible? If not, how can I lock down the app's IP address so it's only available if accessed via domain name (would like to avoid messy firewall rules if possible)?

I'm also using NPM (Nginx Proxy Manager).

I've followed several guides and tried a ton of options but if this is possible I'm obviously missing something. It just keeps directing to the app without hitting Authentik when I try to intercept by IP address and port.

The application is not available to the public.

I also have a Synology NAS with a Let's Encrypt wildcard cert available if it would help to achieve this. And I've figured out how to use the Synology's built in reverse proxy and Authentik without NPM for other apps (only mentioning in case this is the way).

Any ideas?