diff --git a/.env.sample b/.env.sample
index 5c9b497..3b8ba28 100644
--- a/.env.sample
+++ b/.env.sample
@@ -45,9 +45,14 @@ COPY_ASSETS="$COPY_ASSETS icon.png|app:/web/dist/assets/icons/"
 # SECRET_NEXTCLOUD_SECRET_VERSION=v1
 # APP_ICONS="nextcloud:~/.abra/recipes/authentik/icons/nextcloud.png"
 
-
 # COMPOSE_FILE="$COMPOSE_FILE:compose.wordpress.yml"
 # WORDPRESS_DOMAIN=wordpress.example.com
 # SECRET_WORDPRESS_ID_VERSION=v1
 # SECRET_WORDPRESS_SECRET_VERSION=v1
 # APP_ICONS="$APP_ICONS wordpress:~/.abra/recipes/authentik/icons/wordpress.png"
+
+# COMPOSE_FILE="$COMPOSE_FILE:compose.matrix.yml"
+# ELEMENT_DOMAIN=element.example.com
+# SECRET_MATRIX_ID_VERSION=v1
+# SECRET_MATRIX_SECRET_VERSION=v1
+# APP_ICONS="$APP_ICONS matrix:~/.abra/recipes/authentik/icons/matrix.svg"
diff --git a/abra.sh b/abra.sh
index d489439..4d798e0 100644
--- a/abra.sh
+++ b/abra.sh
@@ -7,6 +7,7 @@ export FLOW_TRANSLATION_VERSION=v1
 export SYSTEM_TENANT_VERSION=v1
 export NEXTCLOUD_CONFIG_VERSION=v1
 export WORDPRESS_CONFIG_VERSION=v1
+export MATRIX_CONFIG_VERSION=v1
 
 customize() {
     if [ -z "$1" ]
diff --git a/compose.matrix.yml b/compose.matrix.yml
new file mode 100644
index 0000000..69dac72
--- /dev/null
+++ b/compose.matrix.yml
@@ -0,0 +1,26 @@
+version: "3.8"
+services:
+  worker:
+    secrets:
+      - matrix_id
+      - matrix_secret
+    environment:
+      - ELEMENT_DOMAIN
+    configs:
+      - source: matrix
+        target: /blueprints/matrix.yaml
+
+secrets:
+  matrix_id:
+    external: true
+    name: ${STACK_NAME}_matrix_id_${SECRET_MATRIX_ID_VERSION}
+  matrix_secret:
+    external: true
+    name: ${STACK_NAME}_matrix_secret_${SECRET_MATRIX_SECRET_VERSION}
+
+
+configs:
+  matrix:
+    name: ${STACK_NAME}_matrix_${MATRIX_CONFIG_VERSION}
+    file: matrix.yaml.tmpl
+    template_driver: golang
diff --git a/icons/matrix.svg b/icons/matrix.svg
new file mode 100644
index 0000000..54a91b7
--- /dev/null
+++ b/icons/matrix.svg
@@ -0,0 +1,7 @@
+<svg width="200" height="200" viewBox="0 0 200 200" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path fill-rule="evenodd" clip-rule="evenodd" d="M100 200C155.228 200 200 155.228 200 100C200 44.7715 155.228 0 100 0C44.7715 0 0 44.7715 0 100C0 155.228 44.7715 200 100 200Z" fill="#0DBD8B"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M81.7169 46.5946C81.7169 42.5581 84.9959 39.2859 89.0408 39.2859C116.456 39.2859 138.681 61.4642 138.681 88.8225C138.681 92.859 135.401 96.1312 131.357 96.1312C127.312 96.1312 124.033 92.859 124.033 88.8225C124.033 69.5372 108.366 53.9033 89.0408 53.9033C84.9959 53.9033 81.7169 50.6311 81.7169 46.5946Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M153.39 81.5137C157.435 81.5137 160.714 84.7859 160.714 88.8224C160.714 116.181 138.49 138.359 111.075 138.359C107.03 138.359 103.751 135.087 103.751 131.05C103.751 127.014 107.03 123.742 111.075 123.742C130.4 123.742 146.066 108.108 146.066 88.8224C146.066 84.7859 149.345 81.5137 153.39 81.5137Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M118.398 153.405C118.398 157.442 115.119 160.714 111.074 160.714C83.6592 160.714 61.4347 138.536 61.4347 111.177C61.4347 107.141 64.7138 103.869 68.7587 103.869C72.8035 103.869 76.0826 107.141 76.0826 111.177C76.0826 130.463 91.7489 146.097 111.074 146.097C115.119 146.097 118.398 149.369 118.398 153.405Z" fill="white"/>
+<path fill-rule="evenodd" clip-rule="evenodd" d="M46.6097 118.486C42.5648 118.486 39.2858 115.214 39.2858 111.178C39.2858 83.8193 61.5102 61.6409 88.9255 61.6409C92.9704 61.6409 96.2494 64.9132 96.2494 68.9497C96.2494 72.9862 92.9704 76.2584 88.9255 76.2584C69.6 76.2584 53.9337 91.8922 53.9337 111.178C53.9337 115.214 50.6546 118.486 46.6097 118.486Z" fill="white"/>
+</svg>
diff --git a/matrix.yaml.tmpl b/matrix.yaml.tmpl
new file mode 100644
index 0000000..5ef8247
--- /dev/null
+++ b/matrix.yaml.tmpl
@@ -0,0 +1,43 @@
+version: 1
+metadata:
+  labels:
+    blueprints.goauthentik.io/instantiate: "true"
+  name: matrix
+
+entries:
+
+- attrs:
+    access_code_validity: minutes=1
+    authorization_flow: !Find [authentik_flows.flow, [slug, default-provider-authorization-implicit-consent]]
+    client_id: {{ secret  "matrix_id" }}
+    client_secret: {{ secret  "matrix_secret" }}
+    client_type: confidential
+    include_claims_in_id_token: true
+    issuer_mode: per_provider
+    name: Matrix
+    property_mappings:
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, openid]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, email]]
+    - !Find [authentik_providers_oauth2.scopemapping, [scope_name, profile]]
+    signing_key: !Find [authentik_crypto.certificatekeypair, [name, authentik Self-signed Certificate]]
+    sub_mode: user_username
+    token_validity: days=30
+  conditions: []
+  id: matrix_provider
+  identifiers:
+    pk: 9997
+  model: authentik_providers_oauth2.oauth2provider
+  state: present
+
+- attrs:
+    meta_launch_url: https://{{ env  "ELEMENT_DOMAIN" }}
+    open_in_new_tab: true
+    policy_engine_mode: any
+    provider: !KeyOf matrix_provider
+    slug: matrix
+  conditions: []
+  id: matrix_application
+  identifiers:
+    name: Matrix
+  model: authentik_core.application
+  state: present