Announcing Pomerium v0.32.0

Pomerium v0.32.0 is all about less friction and more control: SSH access now uses the standard OAuth Authorization Code flow, onboarding can start with a hosted IdP, MCP token refresh is automated, and operators get clearer visibility into databroker state. We also tightened DNS controls and polished a few operational edges.

Enterprise Console upgrade order: upgrade Console to v0.32.0 before Core v0.32.0 to avoid a databroker incompatibility. See the upgrade guide.

What's New

SSH improvements & Reverse Tunnel in Zero

Native SSH now uses the standard OAuth Authorization Code flow in v0.32.0+, removing the device code requirement and simplifying IdP setup.  See Native SSH Access for prerequisites and configuration.

We also shipped reverse tunnel and port-forward management improvements to make SSH sessions easier to run at scale.  See the v0.32.0 release notes for details.

Hosted authenticate service

v0.32.0 adds a hosted IdP provider type that lets you get started without standing up your own IdP. The Hosted Authenticate Service is available to open source, Pomerium Zero, and Pomerium Enterprise users and does not require configuring a client ID or secret for quick starts.  Learn more in Authentication and SSO and Identity Providers.

MCP refresh token support

Pomerium now handles OAuth refresh tokens for upstream MCP services, so MCP servers do not need to manage token lifecycles themselves. MCP is still experimental and requires a runtime flag.  See MCP support for details and configuration.

Databroker debug browser and debug endpoint

A new databroker debug browser improves visibility into stored records and troubleshooting workflows. The debug endpoint can be enabled via debug_address, which exposes configuration dumps and other debugging information. By default, the debug server binds to a random localhost port; only expose it in controlled environments.  See Debug settings.

Expanded DNS configuration options

v0.32.0 adds explicit DNS resolvers and surfaces more tuning options (refresh rates, query timeouts, and transport behavior like TCP/UDP) for predictable name resolution in complex networks.  See the DNS settings reference for the full list of options.

Other operational improvements

Metrics polish: listeners now include a stats prefix, and Prometheus metrics remove unit/scope tags for cleaner output.

Debug endpoint upgrades: channelz support lands behind the debug endpoint for deeper gRPC introspection. 

Upgrade Notes

Enterprise Console users must upgrade Console before Core for v0.32.0. See the upgrade guide.

Full changelog and downloads are in the v0.32.0 release notes.