Skip to main content

External Data Sources

Pomerium Enterprise

This article describes a use case only available to Pomerium Enterprise customers.

If you believe decisions should be informed by data, then security decisions should be informed by all the data. Today, most applications are limited to using user identity when making access decisions — which leaves systems blind to the multi-faceted forms of attack vectors being exploited in the threat landscape. It turns out an access control system is only as good as the data used in policy decisions.

For more information on how context enriches access decisions, read our blog post here.

Pomerium Enterprise Console's external data feature allows you to collect data from sources other than your identity provider (IdP) to make context-aware policy decisions. Pomerium provides several data sources as examples, but we encourage you to create (and share with the community) your own integrations to expand your data-driven policies.

See the pages in this section for more information on our example data sources, or learn how to create your own by reviewing our datasource repository.

Integrate external data sources in the Console

Configure external data sources in the Console

Any external data source integration requires the following settings:


The path to the external data.

Supported external data formats include:

A JSON file containing an array of objects. Each object must contain an id field.

For example:

example JSON
{"id": "", "": "user4"},
{"id": "", "": "user5"},
{"id": "", "": "user6"}

A CSV file where the first row indicates the field names and subsequent rows are records. One of the fields must be an id.

For example:

example CSV

tar or ZIP files

A .tar or .zip file containing files of one of the formats above. The file path within the .tar file specifies the record type, if not defined in the configuration.

For example, in an archive containing the following structure:

The Pomerium Databroker would be updated with types, devices/jamf, and devices/tanium.

Compressed versions are supported using gz format.

Record Type

Unless defined by the directory structure of a supplied archive file, the Record Type field defines how the records will be stored and accessed in the Databroker.

Foreign Key

Foreign Key is used to map an authorization evaluation to the corresponding record. The supported values are:

  • (Also the default if no value is provided)
  • request.ip
  • request.client_certificate.fingerprint (if mTLS is enabled)

IP range lookup support

For the request.ip foreign key, Pomerium also supports matching against a range of IP addresses (expressed in CIDR notation). This can reduce the number of data records you need.

To match against an IP address range, add a special $index key to your external data source records. For example:

"$index": {"cidr": ""}

See the GeoIP Ranges and Well-Known IP Ranges guides for specific examples.


Headers defined here will be used when connecting to the external data source.

Allow Insecure TLS

If set, allows the import of external data from sources using untrusted TLS certificates.

Polling Min/Max Delay

Defines the minimum and maximum delay times between requests to the external data source. The job would be scheduled to run within min delay intervals.


If a job may not complete within the min delay period, it would be interrupted and restarted. If a job is interrupted by timeout or due to an error, it would be restarted with increasing intervals up to the max delay period.

Client TLS Key

For data sources using mTLS, you can select a client certificate (added under ManageCertificates) to provide to the data source.