Pomerium

Pomerium is an identity-aware reverse proxy. It builds secure, clientless connections to internal web apps and other services without a corporate VPN.

Pomerium is:

  • Easier: users connect with the standard tools they already have, like a browser or an SSH client.
  • Faster: deployed where your apps and services are, so traffic does not need to backhaul through a corporate VPN.
  • Safer: every single action is verified before it is allowed to execute.
  • Tailored: identity and context are integrated for fine-grained, context-aware access policies.

Pomerium Core is open source and self-hosted. Pomerium Zero and Pomerium Enterprise offer managed control planes and enterprise features for teams that need them, but are always self-hosted.

Built on Envoy, Pomerium integrates with any OpenID Connect (OIDC) Identity Provider (IdP) you already use, evaluates policy as code for every request, and forwards cryptographically signed JSON Web Tokens (JWTs) to upstream services so they can trust the identity context without implementing their own auth.

How Pomerium Works

Every request passes through three stages:

  • Authenticate: Pomerium redirects users to your existing OIDC IdP, then establishes a session scoped to that identity.
  • Authorize: Policy is evaluated for every request. Rules are written in Pomerium Policy Language (PPL), a YAML-style policy as code format, so changes take effect immediately without redeploying upstream services.
  • Access: Allowed requests reach the upstream application with a signed JWT containing identity claims, so the app can make its own identity-aware decisions without handling login flows.

Core Capabilities

  • Layer 7 reverse proxy: proven proxying built on Envoy, with routing and load balancing for HTTP, TCP, and native SSH workloads.
  • Continuous policy enforcement: centralized policies that authorize every single action, including live revocation of active SSH sessions.
  • Centralized auditing: every request is logged regardless of identity type, giving you a single source of truth for access events.

Common Use Cases

  • Secure Kubernetes access: protect ingress, kubectl, Gateway API, and upstream applications without installing a client on every machine.
  • Enable distributed access: let remote employees, contractors, and distributed teams reach internal services without the latency and management overhead of a VPN.
  • Secure AI and MCP workloads: put identity-aware access control in front of Model Context Protocol (MCP) servers and the agents that call them, with per-request authorization and logging.

Learn by Doing

The interactive content on this hub walks through real Pomerium deployments, end to end, inside browser-based playgrounds. You will configure Pomerium Core, wire it to GitHub OAuth, and verify access policies live.

Loading tutorial...

Loading tutorial...

More Resources