# Pomerium

> Pomerium is an identity-aware reverse proxy that provides Zero Trust access control for internal applications, services, and AI agents without requiring a VPN.

Pomerium is an identity-aware reverse proxy that enables secure, clientless access to internal applications, databases, services, and AI agents using a Zero Trust model. Every request is authenticated and authorized based on identity, device posture, time, and other contextual signals — not network perimeter. It offers both a managed control plane (Pomerium Zero) and a fully self-hosted enterprise option, with a self-hosted data plane ensuring sensitive traffic never passes through third-party infrastructure.

- **Zero Trust Access Control** — *Evaluates every individual request against authentication, authorization, and contextual signals rather than relying on perimeter-based trust.*
- **Clientless Operation** — *Users access internal apps through a browser without installing VPN clients or agents, reducing friction and attack surface.*
- **Self-Hosted Data Plane** — *Deploy Pomerium's reverse proxy inside your own environment so internal traffic and data never leave your infrastructure.*
- **Context-Aware Policies** — *Write granular authorization policies using identity, group membership, device posture, time, MFA status, and external data sources via OPA Rego or a GUI policy builder.*
- **Secure Human Access** — *Supports scoped contractor access, time-bound access, just-in-time access, policy change history, and native SSH access over HTTP.*
- **Secure Service Access** — *Authenticates and authorizes service-to-service communication, Kubernetes ingress, internal APIs, and CI/CD pipelines.*
- **Secure Agentic Access** — *Enforces policy-based access for MCP servers and AI agents accessing internal tools, dashboards, and data APIs.*
- **SSO & IdP Integration** — *Integrates with major identity providers via SSO; supports JWTs, mTLS, and full identity provider data sync.*
- **Audit & Compliance** — *Logs every access decision with audit trails, deployment history, traffic reports, and in-console telemetry for compliance readiness.*
- **Multi-Cluster Management** — *Manage multiple Pomerium deployments from a centralized control plane with namespaces, RBAC, and hierarchical policies.*

To get started, sign up for Pomerium Zero at console.pomerium.app, deploy the self-hosted reverse proxy in your environment with a single command, configure routes and policies via the UI or YAML, and connect your identity provider.

## Features
- Zero Trust access control
- Identity-aware reverse proxy
- Clientless secure access
- Self-hosted data plane
- Managed control plane (Pomerium Zero)
- Context-aware authorization policies
- SSO and IdP integration
- JWT support and verification SDKs
- mTLS support
- Native SSH access over HTTP
- TCP-over-HTTP secure server access
- Kubernetes security and ingress
- Secure internal APIs
- AI agent and MCP server access control
- Just-in-time access
- Time-bound access
- Scoped contractor access
- Policy builder UI (GUI, YAML, OPA Rego)
- Namespaces and hierarchical policies
- Role-based access control (RBAC)
- Multi-cluster management
- Automatic TLS certificate issuance via LetsEncrypt
- Custom domains
- Audit logs and access logs
- Deployment history and traffic reports
- Device attestation
- Full identity provider data sync
- Branded console and error pages
- Enterprise API for CI/CD integration
- Community forum support

## Integrations
Okta, Google Workspace, Azure Active Directory, GitHub, GitLab, Ping Identity, OneLogin, Kubernetes, LetsEncrypt, OPA (Open Policy Agent), Dropbox, Google Drive, Notion, Slack (dedicated channel support)

## Platforms
WEB, API, LINUX, MACOS, WINDOWS

## Pricing
Open Source, Free tier available

## Links
- Website: https://www.pomerium.com
- Documentation: https://www.pomerium.com/docs
- Repository: https://github.com/pomerium/pomerium
- EveryDev.ai: https://www.everydev.ai/tools/pomerium