diff --git a/roles/authentik/README.md b/roles/authentik/README.md
index 2fb18d1..8311190 100644
--- a/roles/authentik/README.md
+++ b/roles/authentik/README.md
@@ -16,4 +16,13 @@ The role renders blueprints for:
 - Entra ID sources (`authentik_entra_sources`)
 - Login screen sources (`authentik_login_source_ids`)
 
-Secrets are passed via `authentik_blueprint_env` using environment variable references.
\ No newline at end of file
+Secrets are passed via `authentik_blueprint_env` using environment variable references.
+
+## Removing resources
+
+To remove resources from Authentik, move slugs to the removal lists:
+- `authentik_removed_oidc_apps`
+- `authentik_removed_proxy_apps`
+- `authentik_removed_local_users`
+
+After confirming deletion, remove the slug from the list.
\ No newline at end of file
diff --git a/roles/authentik/defaults/main.yml b/roles/authentik/defaults/main.yml
index 8ac0785..85e8a15 100644
--- a/roles/authentik/defaults/main.yml
+++ b/roles/authentik/defaults/main.yml
@@ -111,3 +111,14 @@ authentik_local_users: []
 #   attributes:
 #     settings:
 #       locale: en
+
+# Resources to remove from Authentik (cleanup)
+# Add slugs/names here when removing from the lists above
+authentik_removed_oidc_apps: []
+# - grafana
+
+authentik_removed_proxy_apps: []
+# - whoami
+
+authentik_removed_local_users: []
+# - olduser
diff --git a/roles/authentik/tasks/main.yml b/roles/authentik/tasks/main.yml
index 5a28a69..83805ad 100644
--- a/roles/authentik/tasks/main.yml
+++ b/roles/authentik/tasks/main.yml
@@ -53,7 +53,8 @@
         (authentik_proxy_outposts | map(attribute='name') | map('regex_replace', '^(.*)$', '30-outpost-\1.yaml') | list) +
         (authentik_entra_sources | map(attribute='slug') | map('regex_replace', '^(.*)$', '20-source-entra-\1.yaml') | list) +
         ['21-login-sources.yaml'] +
-        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], []))
+        ((authentik_local_users | length > 0) | ternary(['05-local-users.yaml'], [])) +
+        (((authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)) | ternary(['00-cleanup.yaml'], []))
       }}
 
 - name: Remove stale blueprint files
@@ -110,6 +111,14 @@
   when: authentik_local_users | length > 0
   register: local_users_bp
 
+- name: Render cleanup blueprint
+  ansible.builtin.template:
+    src: blueprints/blueprint-cleanup.yaml.j2
+    dest: "{{ authentik_docker_volume_dir }}/blueprints/00-cleanup.yaml"
+    mode: "0644"
+  when: (authentik_removed_oidc_apps | length > 0) or (authentik_removed_proxy_apps | length > 0) or (authentik_removed_local_users | length > 0)
+  register: cleanup_bp
+
 - name: Create docker-compose file for authentik
   template:
     src: docker-compose.yml.j2
@@ -129,5 +138,6 @@
          or (entra_bp is defined and (entra_bp.results | selectattr('changed') | list | length > 0))
          or (login_bp is defined and login_bp.changed)
          or (local_users_bp.changed | default(false))
+         or (cleanup_bp.changed | default(false))
         ) | ternary('always','auto')
       }}
diff --git a/roles/authentik/templates/blueprints/blueprint-cleanup.yaml.j2 b/roles/authentik/templates/blueprints/blueprint-cleanup.yaml.j2
new file mode 100644
index 0000000..27e2461
--- /dev/null
+++ b/roles/authentik/templates/blueprints/blueprint-cleanup.yaml.j2
@@ -0,0 +1,38 @@
+# yaml-language-server: $schema=https://goauthentik.io/blueprints/schema.json
+version: 1
+metadata:
+  name: "cleanup"
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+    blueprints.goauthentik.io/description: "Remove stale resources"
+
+entries:
+{% for slug in authentik_removed_oidc_apps %}
+  # Remove OIDC app: {{ slug }}
+  - model: authentik_core.application
+    state: absent
+    identifiers:
+      slug: {{ slug }}
+  - model: authentik_providers_oauth2.oauth2provider
+    state: absent
+    identifiers:
+      name: {{ slug }}
+{% endfor %}
+{% for slug in authentik_removed_proxy_apps %}
+  # Remove proxy app: {{ slug }}
+  - model: authentik_core.application
+    state: absent
+    identifiers:
+      slug: {{ slug }}
+  - model: authentik_providers_proxy.proxyprovider
+    state: absent
+    identifiers:
+      name: {{ slug }}
+{% endfor %}
+{% for username in authentik_removed_local_users %}
+  # Remove user: {{ username }}
+  - model: authentik_core.user
+    state: absent
+    identifiers:
+      username: {{ username }}
+{% endfor %}
\ No newline at end of file