Pomerium
Pomerium is an identity-aware reverse proxy that provides Zero Trust access control for internal applications, services, and AI agents without requiring a VPN.
At a Glance
About Pomerium
Pomerium is an identity-aware reverse proxy that enables secure, clientless access to internal applications, databases, services, and AI agents using a Zero Trust model. Every request is authenticated and authorized based on identity, device posture, time, and other contextual signals — not network perimeter. It offers both a managed control plane (Pomerium Zero) and a fully self-hosted enterprise option, with a self-hosted data plane ensuring sensitive traffic never passes through third-party infrastructure.
- Zero Trust Access Control — Evaluates every individual request against authentication, authorization, and contextual signals rather than relying on perimeter-based trust.
- Clientless Operation — Users access internal apps through a browser without installing VPN clients or agents, reducing friction and attack surface.
- Self-Hosted Data Plane — Deploy Pomerium's reverse proxy inside your own environment so internal traffic and data never leave your infrastructure.
- Context-Aware Policies — Write granular authorization policies using identity, group membership, device posture, time, MFA status, and external data sources via OPA Rego or a GUI policy builder.
- Secure Human Access — Supports scoped contractor access, time-bound access, just-in-time access, policy change history, and native SSH access over HTTP.
- Secure Service Access — Authenticates and authorizes service-to-service communication, Kubernetes ingress, internal APIs, and CI/CD pipelines.
- Secure Agentic Access — Enforces policy-based access for MCP servers and AI agents accessing internal tools, dashboards, and data APIs.
- SSO & IdP Integration — Integrates with major identity providers via SSO; supports JWTs, mTLS, and full identity provider data sync.
- Audit & Compliance — Logs every access decision with audit trails, deployment history, traffic reports, and in-console telemetry for compliance readiness.
- Multi-Cluster Management — Manage multiple Pomerium deployments from a centralized control plane with namespaces, RBAC, and hierarchical policies.
To get started, sign up for Pomerium Zero at console.pomerium.app, deploy the self-hosted reverse proxy in your environment with a single command, configure routes and policies via the UI or YAML, and connect your identity provider.
Community Discussions
Be the first to start a conversation about Pomerium
Share your experience with Pomerium, ask questions, or help others learn from your insights.
Pricing
Zero Personal
For individuals and hobbyists looking for a better solution than a VPN.
- Web-based secure application access
- Self-hosted data plane
- Managed control plane
- 1 admin user
- 1 service account
Zero Business
For teams and companies looking to replace VPNs and improve their security posture.
- Web-based secure application access
- Self-hosted data plane
- Managed control plane
- 5 admin users
- 20 service accounts
- 20 policies
- 100 routes
- 100 automatic TLS certificates
- 1000 users
- 5 clusters (multi-cluster support)
- Plug-in support for additional user context sources
- Comprehensive access control criteria
- Simple RBAC
- Metrics and reporting via admin console
- Policy builder UI
- Self-service for application owners
- In-console telemetry
- Dynamic authorization policy as code (OPA Rego)
- Access logs
- Audit logs
- SSO support
- JWT support
- TCP-over-HTTP secure server access
- SSH-over-HTTP secure server access
- mTLS support
- Full identity provider data sync
- Email support
- Community forum support
Enterprise
For large organizations that need a fully self-hosted, on-premise solution with no usage limits.
- Fully self-hosted control plane and data plane
- Unlimited routes, policies, users
- Advanced RBAC with layered permissions
- Namespaces and hierarchical authorization policies
- Branded console, error and utility pages
- Full Pomerium Enterprise API access
- Device attestation
- Relevant context integrations
- Dynamic authorization policy as code (OPA Rego)
- Audit logs and audit reports
- Deployment history and traffic reports
- Dedicated Slack channel
- Phone support
- Dedicated customer success manager
Capabilities
Key Features
- Zero Trust access control
- Identity-aware reverse proxy
- Clientless secure access
- Self-hosted data plane
- Managed control plane (Pomerium Zero)
- Context-aware authorization policies
- SSO and IdP integration
- JWT support and verification SDKs
- mTLS support
- Native SSH access over HTTP
- TCP-over-HTTP secure server access
- Kubernetes security and ingress
- Secure internal APIs
- AI agent and MCP server access control
- Just-in-time access
- Time-bound access
- Scoped contractor access
- Policy builder UI (GUI, YAML, OPA Rego)
- Namespaces and hierarchical policies
- Role-based access control (RBAC)
- Multi-cluster management
- Automatic TLS certificate issuance via LetsEncrypt
- Custom domains
- Audit logs and access logs
- Deployment history and traffic reports
- Device attestation
- Full identity provider data sync
- Branded console and error pages
- Enterprise API for CI/CD integration
- Community forum support