diff --git a/Controllers/RedirectController.cs b/Controllers/RedirectController.cs
new file mode 100644
index 0000000..5d9994f
--- /dev/null
+++ b/Controllers/RedirectController.cs
@@ -0,0 +1,28 @@
+using System.Web;
+using AutheliaMultiDomainProxy.Backend;
+using Microsoft.AspNetCore.Mvc;
+
+namespace AutheliaMultiDomainProxy.Controllers;
+
+[Controller]
+[Route("/api/redirect")]
+public class RedirectController : Controller {
+	public IActionResult Get([FromQuery] string dstDomain, [FromQuery] string tgt) {
+		// Check if we are on an allowed domain
+		if (!Vars.PermittedDomains.Any(p => Request.Host.Host.EndsWith("." + p))) {
+			Response.StatusCode = 421;
+			return StatusCode(StatusCodes.Status421MisdirectedRequest);
+		}
+
+		if (string.IsNullOrWhiteSpace(dstDomain) || !Vars.PermittedDomains.Contains(dstDomain) || string.IsNullOrWhiteSpace(tgt)) {
+			Response.StatusCode = StatusCodes.Status421MisdirectedRequest;
+			return BadRequest("Bad request.");
+		}
+
+		// tgt is urlencoded twice because authelia decodes it by one layer 
+		var targetUrl =
+			$"{Vars.AutheliaSubdomain}.{Vars.UpstreamPrimaryDomain}/?rd=https%3A%2F%2F{Vars.AuthProxySubdomain}.{Vars.UpstreamPrimaryDomain}%2Fapi%2Fcookieproxy_stage_one%3FdstDomain%3D{dstDomain}%26tgt%3D{HttpUtility.UrlEncode(HttpUtility.UrlEncode(tgt))}";
+		Response.Redirect(targetUrl);
+		return Content($"Redirecting... <a href=\"{targetUrl}\">Click here if you are not redirected automatically</a>", "text/html");
+	}
+}