Why Per-Request Authorization Is the Foundation of Zero Trust

The Problem With Session-Based Access

Most access tools treat authentication like a one-time handshake. In these models, once a user or service is validated, they’re granted broad access for the rest of their session, regardless of what changes afterward.

This worked when everything lived behind a firewall. But today, it’s a liability.

• Risk posture can change during a session

• Devices drift from known-good state

• Static permissions remain valid long after the need passes

Traditional session-based access creates blind spots, especially when sessions persist for hours or days. It breaks the Zero Trust model.

What Is Per-Request Authorization?

Per-request authorization means that every request, not just the first, is evaluated, in real-time, against policies.

Each time a user or service tries to access a resource, Pomerium checks identity, role, group membership, time of day, and any custom signals you define with your policies.

This ensures that:

• Access is always intentional

• Policies adapt in real time

• Least privilege is enforced

Why It’s Core to Zero Trust

The heart of Zero Trust is continuous verification. Without per-request authorization, that promise falls apart:

• You can’t adapt to risk if you only evaluate once

• You can’t revoke access mid-session

• You can’t enforce context-aware policies when you rely on coarse-grain session

Pomerium enforces policies at the application layer, in real time, for every request. No traffic rerouting, app rewrites, or third-party data exposure.

Where This Matters Most

Per-request policy isn’t niche. It’s critical across modern infrastructure:

• SSH Access — Issues short-lived, auditable SSH certificates tied to user identity with Pomerium

• Internal Dashboards — Enforce identity-aware, per-route policy for tools like Grafana, Jenkins, and Airflow

• Kubernetes Access — Control access to the dashboard, kubectl, and CI/CD workflows without static kubeconfigs

• AI Agent Access — Authorize every agent action based on the initiating user’s identity with Model Context Protocol (MCP)

• Service-to-Service Traffic — Enforce mutual TLS and per-request policy for internal APIs—no shared secrets required

How Pomerium Enables Per-Request Authorization

Pomerium is an identity-aware proxy  that enforces policies on every request, before requests reach your app or service.

• Identity-aware: Integrates with any OIDC-compliant IdP.

• Contextual: Policies can evaluate identity, group, time, custom headers (e.g. device posture), and more.

• Centralized: Policies are defined once and enforced consistently.

• Clientless: No agent or client software to install, configure and manage. 

• Self-hosted: Data, traffic and decisions stay inside your environment.

This means:

• You can deploy Zero Trust gradually, starting with a single route.

• You don’t need to re-architect your apps.

• You’re not reliant on a vendor’s infrastructure or logging pipeline.

Audit and Compliance Built In

Every access decision is logged. Every request can be traced.

That’s not just helpful for incident response. It’s essential for proving:

• Who accessed what.

• When was it accessed, and from where.

• Under what conditions was it accessed.

Pomerium’s model helps meet requirements for SOC 2, HIPAA, ISO 27001, and NIST 800-53, without bolt-on tools or separate agents.

What to Do Next

Per-request authorization isn’t hard to implement. With Pomerium, it’s built in.

-> Secure your first route with Pomerium

-> Read how companies apply policy in real-time

-> Request a demo

Access shouldn’t be granted once and forgotten. Give every request the scrutiny it deserves with Pomerium.