AdGuard
Put AdGuard Home behind Pomerium for single sign-on, injecting its basic-auth credential from a Pomerium header so users never see AdGuard's own login.
Argo Workflows
Put Argo Workflows behind the Pomerium Ingress Controller on Kubernetes for single sign-on and per-route authorization.
Cloud Run
Put Pomerium in front of a Cloud Run service as a standard upstream route, with signed authorization headers for GCP serverless authentication.
Cockpit
Put Cockpit, the web-based Linux server management GUI, behind Pomerium so single sign-on gates access before Cockpit's own login screen.
code-server
Run code-server (VS Code in the browser) in Docker and put authentication and authorization in front of it with Pomerium.
Forgejo
Put a Forgejo instance behind Pomerium and use reverse-proxy header authentication so users sign in once and are auto-provisioned from their Pomerium identity.
GitLab
Put self-hosted GitLab behind Pomerium so every request is authenticated and authorized at the front door before it reaches GitLab.
Grafana
Add single sign-on and per-route authorization to Grafana with Pomerium, forwarding a signed identity JWT so Grafana signs users in automatically.
Apache Guacamole
Put Apache Guacamole behind Pomerium and sign users in automatically by forwarding their identity in an HTTP header to Guacamole's header-auth extension.
HedgeDoc
Put HedgeDoc behind Pomerium so single sign-on and per-route authorization gate access to your collaborative Markdown editor.
Homelab Pipeline
Build a production-grade homelab deployment pipeline with Talos Linux, Terraform Cloud, Argo CD, and Pomerium Zero on bare metal.
Istio
Integrate the Pomerium Ingress Controller with an Istio service mesh to extend authentication and authorization to east-west traffic inside your cluster.
Jellyfin
Put a self-hosted Jellyfin media server behind Pomerium so every browser request is authenticated and authorized at the front door before it reaches Jellyfin.
Jenkins
Put Jenkins behind Pomerium for single sign-on, forwarding a signed identity JWT that the Jenkins JWT Auth plugin verifies to sign users in automatically.
Just-In-Time Access
Grant time-limited, Just-In-Time access with Pomerium by using the PPL date matcher, and automate the request and approve workflow with the jit-example app.
Open WebUI (LLM)
Run a self-hosted LLM interface (Open WebUI) behind Pomerium with SSO and trusted-header identity.
MCP Bridge
Front a hosted Model Context Protocol (MCP) server (Linear, GitHub, and others) with Pomerium Zero so your team can use it from Claude, ChatGPT, or VS Code under your SSO, with domain- or group-based access and per-tool controls.
OpenClaw
Deploy OpenClaw behind Pomerium with a single install script that wires up zero-trust authentication, SSH access, and trusted-proxy auth, all automated.
SSH over port 443
Tunnel SSH through Pomerium when client outbound access is restricted to port 443 and Pomerium is behind an L4 edge.
Synology NAS
Put the apps on your Synology NAS behind Pomerium so you get single sign-on and per-route authorization for remote access without running a VPN.
TiddlyWiki
Put TiddlyWiki on Node.js behind Pomerium for single sign-on, and forward the authenticated user's email so TiddlyWiki recognizes who is signed in.
ToolJet
Put ToolJet behind Pomerium so only authenticated users can reach your low-code internal tools.
Transmission
Put Transmission's RPC and web interface behind Pomerium for single sign-on, TLS, and per-user authorization.
Native SSH (Zero)
Configure native, identity-aware SSH access through Pomerium Zero using OAuth login and short-lived SSH certificates.