Skip to main content

Public Access



Because the Public Access setting bypasses authentication and authorization checks, you should enable it only for publicly exposed web services.

The Public Access setting instructs Pomerium to grant unauthorized and unauthenticated access to all requests to the upstream service. If you enable this setting, no other policy should be provided for the route.

robots.txt behavior

By default, Pomerium serves a robots.txt response directly, instructing search engines not to crawl the route domain:

User-agent: *
Disallow: /

For routes with policies that allow public, unauthenticated access, Pomerium will not serve robots.txt directly. Instead, Pomerium will proxy requests for /robots.txt to the upstream service.

How to configure

YAML/JSON settingTypeDefaultUsage


allow_public_unauthenticated_access: true