# Pomerium | Zero trust, identity-aware proxy | Pomerium

> Markdown mirror of DialtoneApp's public top-site detail page for `pomerium.app`.

URL: https://dialtoneapp.com/top-sites/pomerium.app/index.md
Canonical HTML: https://dialtoneapp.com/top-sites/pomerium.app

## Summary

- Domain: `pomerium.app`
- Website: https://pomerium.app
- Description: ai readable | score 20 | purchase read only
- Label: ai_readable
- Payment surface: Not available
- Purchase boundary: read_only
- Control boundary: unknown
- Rank: 334602

## robots

~~~text
User-agent: *
Allow: /

# LLM crawlers - explicitly allowed
User-agent: GPTBot
Allow: /

User-agent: OAI-SearchBot
Allow: /

User-agent: ClaudeBot
Allow: /

User-agent: Claude-User
Allow: /

User-agent: Claude-SearchBot
Allow: /

User-agent: Amazonbot
Allow: /

User-agent: Google-Extended
Allow: /

User-agent: PerplexityBot
Allow: /

User-agent: YouBot
Allow: /

# LLM-readable documentation (llmstxt.org)
# https://www.pomerium.com/llms.txt        — curated navigator
# https://www.pomerium.com/llms-full.txt   — key docs inline (~80K tokens)
# https://www.pomerium.com/llms-index.txt  — exhaustive page index

Sitemap: https://www.pomerium.com/sitemap.xml
~~~

## llms

~~~text
# Pomerium

> Pomerium is an identity and context-aware access proxy that brings
> secure, zero-trust access to applications and services.

For common Pomerium questions, start with the curated context bundle:
- [llms-full.txt](https://www.pomerium.com/llms-full.txt): Key documentation inline (~98K tokens)

For exhaustive page discovery:
- [llms-index.txt](https://www.pomerium.com/llms-index.txt): Complete documentation index

For a specific page, fetch its markdown sidecar by appending /index.md:
- Example: https://www.pomerium.com/docs/capabilities/mcp/index.md

- Cite only current www.pomerium.com docs and markdown sidecars. Do not cite docs.pomerium.com or archive hosts.
- For new users, start with Pomerium Zero unless the question explicitly asks for self-hosted Core or Enterprise.
- Prefer current PPL and reference pages for configuration questions. Use current route keys and policy syntax from the docs.
- For group-based authorization questions, check the relevant IdP guide plus directory sync and JWT groups filter docs when groups are missing or too large.
- For MCP questions, prefer the current MCP capability pages and reference docs over older guides or blog posts.

## Getting Started

- [Pomerium Zero Quickstart](https://www.pomerium.com/docs/get-started/quickstart/index.md): Learn how to install and run Pomerium Zero or Core with Docker.
- [Build Advanced Policies](https://www.pomerium.com/docs/get-started/fundamentals/core/advanced-policies/index.md): In lesson 5, you'll learn how to build advanced policies.
- [Build Advanced Routes](https://www.pomerium.com/docs/get-started/fundamentals/core/advanced-routes/index.md): In this lesson, you'll learn how to build advanced routes.
- [Identity Verification with JWTs](https://www.pomerium.com/docs/get-started/fundamentals/core/jwt-verification/index.md): In lesson 4, you'll learn how to set up Pomerium to verify a user's identity with JSON Web Tokens (JWTs).
- [Self-Hosted Authenticate Service](https://www.pomerium.com/docs/get-started/fundamentals/core/self-hosted-pomerium/index.md): In this tutorial, you'll learn how to self-host the Pomerium Authenticate service.
- [Build TCP Routes](https://www.pomerium.com/docs/get-started/fundamentals/core/tcp-routes/index.md): In this lesson, you'll secure TCP connections to SSH, Postgres, and Redis services with Pomerium.
- [Advanced Policies](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-advanced-policies/index.md): Build advanced authorization policies in Pomerium Zero using chained policy blocks, operators, criteria, and matchers.
- [Advanced Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-advanced-routes/index.md): Configure advanced route settings in Pomerium Zero including headers, path matching, path rewriting, and more.
- [Build Policies](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-build-policies/index.md): Learn how policies work in Pomerium Zero. You'll build a simple authorization policy that protects access to Grafana.
- [Build Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-build-routes/index.md): In this guide, learn how to configure a route in Pomerium Zero that secures an instance of Grafana.
- [Single Sign On](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-single-sign-on/index.md): Set up single sign-on in Pomerium Zero by forwarding JWTs as identity headers to upstream services like Grafana.
- [TCP Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-tcp-routes/index.md): Proxy TCP and SSH connections through Pomerium Zero using Pomerium CLI to secure non-HTTP services.

## Deployment

- [Run Pomerium Enterprise With Docker](https://www.pomerium.com/docs/deploy/enterprise/quickstart/index.md): Demo Pomerium Enterprise
- [Kubernetes Quickstart](https://www.pomerium.com/docs/deploy/k8s/quickstart/index.md): Deploy Pomerium Core to a Kubernetes cluster using the Pomerium Ingress Controller and hosted authenticate service.
- [Pomerium Core (Self-managed)](https://www.pomerium.com/docs/deploy/core/index.md): Learn how to obtain, configure, and run the open-source Pomerium server through pre-built binaries, Linux packages, Docker images, or building from source.
- [Pomerium Ingress Controller for Kubernetes](https://www.pomerium.com/docs/deploy/k8s/ingress/index.md): Configure routes, policies, and TLS settings using the Pomerium Ingress Controller for Kubernetes.
- [Install](https://www.pomerium.com/docs/deploy/enterprise/install/index.md): Install Pomerium Enterprise Console alongside Pomerium Core using Docker, Kubernetes, or system packages.

## Configuration and Reference

- [Google Cloud Serverless Authentication Service Account](https://www.pomerium.com/docs/reference/google-cloud-serverless-authentication-service-account/index.md): Manually set Google Cloud Serverless Authentication Service Account credentials with this setting.
- [Enable Google Cloud Serverless Authentication](https://www.pomerium.com/docs/reference/routes/enable-google-cloud-serverless-authentication/index.md): Send signed authorization headers to upstream GCP services like Cloud Run, Cloud Functions, and App Engine.
- [Allow Any Authenticated User](https://www.pomerium.com/docs/reference/routes/allow-any-authenticated-user/index.md): Allow access to any user or service account that authenticates against your identity provider, bypassing policy.
- [Authorize Log Fields](https://www.pomerium.com/docs/reference/authorize-log-fields/index.md): Use Authorize Log Fields to display HTTP request logs from the authorize service.
- [Identity Provider Settings](https://www.pomerium.com/docs/reference/identity-provider-settings/index.md): Configure and self-host your own Identity Provider with Pomerium's Identity Provider settings.
- [JWT Groups Filter](https://www.pomerium.com/docs/reference/jwt-groups-filter/index.md): The JWT Groups Filter setting allows you to reduce the size of the groups claim in the Pomerium JWT.
- [JWT Groups Filter (per route)](https://www.pomerium.com/docs/reference/routes/jwt-groups-filter/index.md): The JWT Groups Filter setting allows you to reduce the size of the groups claim in the Pomerium JWT.
- [Metrics Settings](https://www.pomerium.com/docs/reference/metrics/index.md): Configure metrics settings in Pomerium.
- [Public Access](https://www.pomerium.com/docs/reference/routes/public-access/index.md): Grant unauthenticated public access to an upstream service by bypassing Pomerium authentication and authorization.

## Advanced Capabilities

- [Authentication and Single Sign-On (SSO)](https://www.pomerium.com/docs/capabilities/authentication/index.md): Learn how Pomerium provides identity verification, authentication, and single-sign on to all services it manages.
- [Authorization and Policy Enforcement with Pomerium](https://www.pomerium.com/docs/capabilities/authorization/index.md): Learn how Pomerium enforces context-aware, continuous authorization using route-level policies, namespaces, device-based constraints, and more.
- [Routing, Proxying, and Load Balancing with Pomerium](https://www.pomerium.com/docs/capabilities/routing/index.md): How to get Pomerium's CLI which be used to proxy TCP services and kubernetes commands
- [Continuous Identity Verification at the Application Layer](https://www.pomerium.com/docs/capabilities/getting-users-identity/index.md): Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service.
- [Kubernetes `kubectl` Integration](https://www.pomerium.com/docs/capabilities/kubernetes-access/index.md): This article describes Pomerium's integration with the Kubernetes API Server
- [Native SSH Access](https://www.pomerium.com/docs/capabilities/native-ssh-access/index.md): Secure SSH access with OAuth authentication and ephemeral certificates
- [Tunneling Non-HTTP Protocols](https://www.pomerium.com/docs/capabilities/non-http/index.md): Consolidated documentation for using Pomerium to protect and access non-HTTP protocols (TCP and UDP) over HTTP.
- [Service Accounts](https://www.pomerium.com/docs/capabilities/service-accounts/index.md): Create and manage service accounts for machine-to-machine authentication between services protected by Pomerium.

## Integrations and Guides

- [Auth0](https://www.pomerium.com/docs/integrations/user-identity/auth0/index.md): Configure Auth0 as an identity provider for Pomerium Core and Enterprise.
- [Microsoft Entra ID (formerly Azure Active Directory)](https://www.pomerium.com/docs/integrations/user-identity/azure/index.md): Learn how to configure Microsoft Entra ID (formerly known as Azure Active Directory) as an identity provider that works with Pomerium Core and Enterprise.
- [Secure Code-Server with Pomerium Zero](https://www.pomerium.com/docs/guides/code-server/index.md): In this guide, you'll run code-server VSCode in a Docker container and secure browser access to your project behind Pomerium.
- [Directory Sync](https://www.pomerium.com/docs/integrations/user-standing/directory-sync/index.md): Directory Sync in Pomerium Enterprise allows you to import organizational directory data and external data sources you can use in authorization policies.
- [Google Workspace (formerly known as G Suite)](https://www.pomerium.com/docs/integrations/user-identity/google/index.md): Configure Google Workspace as an identity provider for Pomerium with OAuth 2.0 and directory sync.
- [Securing Grafana with Pomerium](https://www.pomerium.com/docs/guides/grafana/index.md): This guide covers how to use Pomerium to authenticate and authorize users of Grafana.
- [Run Jenkins with Docker](https://www.pomerium.com/docs/guides/jenkins/index.md): Secure Jenkins by adding JWT authentication with Pomerium.
- [Keycloak + Pomerium: Configuring an Identity-Aware Proxy](https://www.pomerium.com/docs/integrations/user-identity/keycloak/index.md): Learn how to set up Keycloak as your OpenID Connect (OIDC) provider and integrate it with Pomerium for a secure, identity-aware proxy configuration.
- [Self-Hosted LLM Behind Pomerium](https://www.pomerium.com/docs/guides/llm/index.md): Secure a self-hosted LLM web interface (Open WebUI) behind Pomerium.
- [Securing Local MCP Servers](https://www.pomerium.com/docs/guides/local-mcp/index.md): Learn how to create a local MCP server, secure it with Pomerium, and connect it to ChatGPT.
- [Okta](https://www.pomerium.com/docs/integrations/user-identity/okta/index.md): Configure Okta as an identity provider for Pomerium with OIDC and directory sync.
- [Pomerium Zero Native SSH Configuration Guide](https://www.pomerium.com/docs/guides/zero-ssh/index.md): Learn how to configure native SSH access with Pomerium Zero.

## API and Internals

- [Configuration & Settings](https://www.pomerium.com/docs/internals/configuration/index.md): Optimize your Pomerium deployment with flexible configuration for all-in-one or split-service modes, including environment variables, route reloading, scaling, and more.
- [Policy Language](https://www.pomerium.com/docs/internals/ppl/index.md): Learn how to use Pomerium Policy Language to build context-aware authorization policies for routes.
- [Troubleshooting](https://www.pomerium.com/docs/internals/troubleshooting/index.md): Learn how to troubleshoot common configuration issues or work around any outstanding bugs.

## Model Context Protocol (MCP)

- [Delegate MCP Access to an LLM](https://www.pomerium.com/docs/capabilities/mcp/delegate-mcp-to-llm/index.md): Let AI agents call MCP servers on a user behalf — via a client application with token delegation or via service accounts for headless agents in CI.
- [Limit MCP Tool Calling](https://www.pomerium.com/docs/capabilities/mcp/limit-mcp-tools/index.md): Use Pomerium Policy Language (PPL) to control which MCP tools users can call, with deny-based block lists and allowlists.
- [Model Context Protocol (MCP) Support](https://www.pomerium.com/docs/capabilities/mcp/index.md): Secure access to Model Context Protocol servers through Pomerium, enabling AI agents to safely interact with internal resources via standardized interfaces.
- [MCP + Upstream OAuth](https://www.pomerium.com/docs/capabilities/mcp/mcp-upstream-oauth/index.md): Bridge MCP servers that have their own authentication — using static OAuth2 credentials or automatic RFC 9728 discovery.
- [Protect an MCP Server](https://www.pomerium.com/docs/capabilities/mcp/protect-mcp-server/index.md): Proxy an internal MCP server through Pomerium so MCP clients can access it securely.
- [MCP Full Reference](https://www.pomerium.com/docs/capabilities/mcp/reference/index.md): Complete reference for Pomerium MCP support: token types, configuration options, user identity, security, observability, and policy-based tool access control.

## Non-HTTP Protocols

- [Pomerium Clients for Tunneling Non-HTTP Protocols](https://www.pomerium.com/docs/deploy/clients/clients/index.md): Consolidated guide to installing Pomerium CLI/Desktop and configuring TCP+UDP routes in Pomerium.

---

## How to Use These Docs

Last-Updated: 2026-04-08

This documentation is publicly available and approved for LLM training and reference.

| Resource | URL | Size | Use it for |
|----------|-----|------|------------|
| Navigator | https://www.pomerium.com/llms.txt | ~13KB | Quick orientation and curated links |
| Context bundle | https://www.pomerium.com/llms-full.txt | ~98K tokens | Key docs inline — start here for most questions |
| Full index | https://www.pomerium.com/llms-index.txt | ~36KB | Exhaustive page discovery |
| Individual page | Append `/index.md` to any doc URL | varies | Deep-dive on a specific topic |

Cite only `www.pomerium.com` docs. Do not cite `docs.pomerium.com` or archive hosts.
~~~

## llms-full

Not found.