Changelog
Pomerium now supports Additional Login Redirect Hosts to solve cross-origin authentication challenges in modern web applications. Cross-origin fetch requests often fail if the browser hasn't set a session cookie for the target domain—especially during the initial login flow. This new feature ensures seamless authentication across multiple domains.
Highlights:
Pre-established sessions – By specifying other routes a route depends on, Pomerium performs additional logins during authentication to set session cookies across up to five domains. No more broken fetch calls or manual visits to subdomain APIs.
Invisible to users – The dependency chain executes during the OAuth flow with seamless redirects. Users experience a single login that authenticates them across all necessary domains automatically.
No CORS workarounds – Eliminates the need for proxying API calls through the primary domain or requiring users to manually hit multiple subdomains. Cross-origin requests just work once the session is established.
Route-level control – Define authentication dependencies at the route level using the new pomerium_additional_hosts query parameter. Perfect for frontend/backend splits and multi-subdomain architectures.
See the docs for more information on configuring cross-origin authentication dependencies!
Pomerium now offers experimental support for securing access to Model Context Protocol (MCP) servers, bringing zero trust principles to agentic AI workflows. MCP turns language models into autonomous agents that can query databases, trigger workflows, and update infrastructure. But when AI agents have this power, traditional security models break down. Most organizations are deploying MCP servers directly exposed to agents, creating significant security risks.
Highlights:
Unified access control – Apply the same identity-based policies to AI agents that you use for human users and services. No more separate security models or access sprawl across your infrastructure.
Granular enforcement – Control access at every level: which MCP servers an agent can reach, down to individual tools within each server. Policies can restrict entire servers, specific functions, or individual tools based on context and identity.
Comprehensive audit trail – Every MCP method call, tool parameter, and authorization decision is logged with full context. Critical for compliance, incident response, and understanding how AI agents interact with your systems.
Zero trust for AI workflows – Unlike static OAuth scopes, Pomerium's policies adapt to changing conditions with rate limiting, time-based restrictions, and behavioral monitoring to prevent runaway AI processes.
OAuth2 gateway – Pomerium acts as a secure gateway between MCP clients and servers, handling OAuth 2.1 flows with upstream services so you don't need to implement OAuth in your MCP server. Features proper token separation and PKCE support with policies that adapt to changing conditions.
See our MCP documentation and demo application to get started with secure AI agent access.
Note: This is an experimental feature and may change in future releases. We welcome feedback as we refine MCP support for production environments.
Teams can now SSH securely without tunneling or workflow changes, as Pomerium introduces native SSH oauth-integrated authentication that works with standard SSH clients and leverages identity-aware, policy-driven authorization.
With this release, Pomerium acts as an SSH certificate authority (CA), signing temporary certificates based on successful OAuth authentication. Instead of managing per-user static keys on every server, access is tied to your identity provider (IdP) and enforced in real time by policy.
This makes SSH access:
Zero Trust-aligned
OAuth-backed and centrally authorized
Ephemeral and auditable
Easy to manage at scale
Users connect via:
SSH client → Envoy → Pomerium
The user initiates an SSH connection.
Pomerium prompts an OAuth login (via keyboard-interactive + device code flow).
After successful authentication, Pomerium evaluates context-aware policy for authorization, then generates a short-lived SSH certificate.
The certificate is signed using a configured User CA private key.
Pomerium creates an SSH connection to the desired host using the short-lived SSH certificate.
The SSH server grants access if it trusts the User CA and the certificate fields match policy.
If a user logs in again with the same public key, their credentials will be cached for the duration of the pomerium session or until revoked
No changes are required to SSH clients or existing key setups. Servers must be configured to trust Pomerium's User CA via sshd_config (TrustedUserCAKeys)
.
The generated certificates embed fields like:
Valid principals (usernames)
Expiration time
Session restrictions (e.g., deny port forwarding, shell access)
Static SSH keys are risky and hard to manage at scale. With native SSH support, Pomerium enables:
Fine-grained access based on identity and policy
Fast, easy revocation (just disable the user or change a policy)
Short-lived certs that reduce exposure without burdening users
No need for VPNs, bastion hosts, or custom ssh clients
Perfect for on-call access, ephemeral production access, or Zero Trust SSH in regulated environments.
Generate a User CA key pair
Update your pomerium.config.yaml
to enable SSH support
Define your SSH routes
Distribute the User CA public key to trusted servers (sshd_config → TrustedUserCAKeys
)
Restart SSHD
📖 See our docs for the full setup guide.
We're just getting started with SSH:
Command restrictions and session metadata (coming soon)
Audit integrations for session logging
Secure SSH, simplified and policy-driven.
This is SSH the Zero Trust way — powered by Pomerium.
Pomerium can now protect UDP-based services with the same identity-aware access controls you use for web apps. In v0.29.0, you’re able to tunnel UDP traffic over HTTP, enforcing who can access your UDP services. This means you can secure things like DNS servers, game servers, and other UDP apps without a VPN.
Highlights:
UDP over HTTPS – Pomerium uses HTTP/3 datagram support (MASQUE’s CONNECT-UDP) under the hood to forward UDP packets securely. No modifications to your UDP applications are required.
Consistent policy enforcement – Apply Pomerium’s access policies to UDP routes just like HTTP routes. If a user isn’t authorized, their UDP traffic won’t go through.
Easy client access – Use the pomerium-cli
or Pomerium Desktop to connect. For example, pomerium-cli udp myservice.corp.example:1234
spins up a local proxy for your UDP app.
Works with any UDP service – Protect game servers, database UDP ports, time servers, or any custom UDP protocol with identity-based authentication and logging, bringing zero trust to new protocols.
See the docs, and factorio and dns examples for more information!
v0.29.0 adds support for HTTP/3, so connections to Pomerium can now use the latest web transport protocol. HTTP/3 (built on QUIC) brings speed and reliability improvements that your users will benefit from automatically:
Faster handshakes – QUIC’s efficient connection setup means quicker initial load times, especially on high-latency networks.
Improved performance – Eliminates head-of-line blocking issues present in HTTP/2. Multiple requests can fly in parallel without one slow request holding up others.
Resilience – Connections are more robust to packet loss, and session resumption is faster, making Pomerium feel snappier on spotty networks (e.g. mobile).
Transparent enablement – Pomerium will negotiate HTTP/3 with clients that support it (while seamlessly falling back to HTTP/2 for others). No special configuration needed — just upgrade and enjoy the throughput boost.
Pomerium’s tracing is now powered by OpenTelemetry, making it easier to plug into your existing observability stack. With industry-standard tracing, you get deeper insight into every request that flows through Pomerium. Key improvements include:
Seamless integration – Export Pomerium trace data to your favorite monitoring tools (Jaeger, Datadog, Honeycomb, etc.) without custom adapters.
End-to-end visibility – Each Pomerium service generates standardized spans, so you can follow a user’s journey across authenticate, proxy, envoy, and authorize components in one trace.
Easier debugging – Quickly pinpoint performance bottlenecks or errors in request handling with the rich context provided by OpenTelemetry spans.
All of this works out of the box in v0.29.0—just configure your tracing backend of choice and you’re good to go.
Pomerium Enterprise now supports comprehensive configuration through the official Terraform provider. Users can fully define and manage routes, policies, namespaces, service accounts, and general settings entirely within their Terraform plans.
Users can now fully bootstrap Pomerium Proxy using Terraform, eliminating the need for manual or interactive configuration via the Enterprise UI. This enhancement streamlines infrastructure-as-code practices, facilitating automated deployments and management workflows.
Simplified Automation: Full Terraform support enables automation and integration with existing CI/CD pipelines.
Reproducible Configuration: Enhances consistency and reproducibility of deployments.
Declarative Configuration: Enables efficient, declarative management of complex access policies and configurations.
External References: Allows dynamic reference to external entities such as IdP users and groups that you manage in the Terraform.
For more details, check out the official Configure with Terraform documentation.
Tired of bloated JWTs or exposing too much group information? Pomerium v0.29.0 gives you control over which user groups get embedded in the JWT token that it mints for upstream services. By including only the groups you care about, you can slim down tokens and limit what data gets shared. Highlights:
Trim down token size – Some users belong to hundreds of groups, which can make the JWT payload large which can break application and server header limits. Now you can include just a subset of groups (for instance, only groups used in policy checks or with a certain prefix), avoiding hitting header size limits and improving performance.
Per-route or global settings – Set a global default filter for JWT group claims, and override on specific routes as needed. This flexibility lets you expose broad group info to services that need it, while limiting it for others.
Privacy by design – Only divulge the group context that’s necessary. Internal apps don’t get a long list of every group a user is in—just the ones you’ve deemed relevant.
Simpler downstream logic – Upstream applications no longer have to handle extraneous group data. They can trust that the groups claim in the JWT is already curated to what they expect, making authorization checks more straightforward.
In short, this feature helps you send cleaner, leaner JWTs to your services without sacrificing the rich identity context Pomerium provides. It’s especially handy for organizations with complex directory structures, ensuring that Pomerium’s tokens stay efficient and purposeful.
Building on Pomerium’s authentication capabilities, v0.29.0 introduces the ability to forward downstream Identity Provider (Entra, OIDC, etc) tokens directly to upstream services. In short, you can now optionally have Pomerium authenticate your APIs and applications using the original IdP-issued token (such as an OAuth access token or OpenID Connect ID token) instead of Pomerium’s JWT. Why is this useful?
Seamless backend integration – If your upstream service or API expects an IdP’s bearer token, Pomerium can provide it. Your apps can verify the token as if the user logged in directly, enabling out-of-the-box compatibility with systems that already know how to handle your IdP tokens.
Configurable per route – You can toggle this behavior on routes that need it. For example, for an API service that performs its own token introspection with the IdP, simply enable “IdP token pass-through” and Pomerium will pass along the user’s access token in the Authorization
header.
No custom glue code – This eliminates the need for awkward workarounds or custom middleware. Pomerium handles the secure exchange with the IdP, then transparently forwards the token upstream.
Keeps zero-trust principles – Pomerium still gatekeeps the initial authentication and authorization. The IdP token is only forwarded after Pomerium has verified and allowed the request. You get the convenience of direct IdP token use without exposing unsecured endpoints.
This feature is perfect for service-to-service scenarios and integrations where Pomerium acts as an authentication broker, simplifying access to APIs.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.