Poor access controls lead to expensive data breaches. Access is still controlled by identity. But identity is no longer just human.
Pomerium protects your critical workloads from unauthorized access across human, machine, and agentic identities.
Source: IBM Cost of a Data breach report
Gain control with just-in-time access, per-request authorization audit logs, and instant revocation all in one place.
Security that stays out of the way so you can ship faster. No clients, no firefighting, no IT tickets necessary.
Pomerium follows the NIST 800-207 Zero Trust Architecture. Every request is authenticated and authorized — no implicit trust is ever granted.
Identity Provider
Integrates with any IdP. Okta, Entra ID, Google, and more.
Device Context
EDR/EPP signals used for access decisions.
Audit & Logging
Full session logs for every request every user.
Policy as Code
Fine-grained, Identity-aware rules enforced in real time.
Continuous Verification:
Once a session is established, Pomerium acts as a gateway for AI traffic — logging every request and re-evaluating policy continuously, not just at login.
See what random people on the internet have to say about us.
Have you tried Pomerium? Clientless access reverse proxy. Zero trust self-hosted setup, so no gray area like "Changes to a tailnet that were initiated by a request to Tailscale’s support team are currently not included."
Since you said "more secure" is a requirement, I highly recommend shifting away from any hosted solution. Third-party compromise is a real attack vector. Cloudflare recently experienced that when Okta's breach spilled over to them.
Use Pomerium.
Pomerium is awesome.
UNBELIEVABLE.. Nobody mentioned POMERIUM yet. What's going on? I recently discover them a few months back, and it seems to me they are the only ones rightfully aligning with the inevitable ZTNA future!!! What am I missing? are they not big enough? not mainstream? Are there others improving IAM? they seem to be IAM+ or IAM on steroids.
I started with nginx proxy manager since I didn't have patience to manually edit nginx configs and tried using authelia with it, failed. Then Keycloak, same. Then I've found Pomerium and I've been using it ever since. Has everything I need out of the box and it hot reloads when you save a config
I use cloudflared + pomerium core
Awesome find, exactly what I was looking for.
I went a step further and I use pomerium reverse proxy. I chose pomerium, for yaml config making it dead simple, and the ability to add SSO before accessing any service. Basically doing what Authentik or Authelia does but easier to setup and manage. This lets me secure anything behind SSO.
You might want to check out Pomerium. It acts as an identity-aware proxy and supports Keycloak and others. Super easy to run and centrally handles authentication and authorization so you can plug all your dashboards into it and get that global login vibe. Pretty cool project, worth a look
Pomerium is open source, I'd recommend that first
This is really cool - just what I have been looking for!
Instead of using a lot of oath2-proxys you could use pomerium instead. Pomerium has its own policy's you can apply to the url. So Instead of having a oath2-proxy for every point that needs privilege separation you can just use one pomerium instance and create access policy's in it.
Here’s how I approach it Nextcloud is in a VM itself. I have another VM that runs Pomerium, a reverse proxy with simple sign on support, inside of a docker container. I use certbot-cloudflare docker to pull my certs. I have cloudflare setup with edge certs so it’s fully verified.
I’ve mostly moved to Komodo + pomerium with Nextcloud as my IDM.
One major thing I like about Pomerium is the Authorization support.
Pomerium reverse proxy. Yaml configured reverse proxy with built in SSO support to sit in front of any service. Dead simple compared to authelia et. al. I use Nextcloud as my OIDC IDM. Major SAF improvement by having SSO for everything.
Have you checked out Pomerium? The proxy issues a signed JWT for reach request w/ claims in headers instead of using a broad OAuth token. Just got my homelab all setup with it. Pretty straightforward.
Pomerium. Dead simple yaml configuration, built in SSO through any IDP.
Came here to learn how to secure AdGuard with a Pomeranian. Left confused.
I use PocketID. The key is to use something like Pomerium as a proxy and use that to enforce SSO…For other apps, I use their SSO integrations and configure it to re-use the credentials for Pomerium
I went with Pomerium for the following reasons
Many IDPs. vs. LDAP or File like in Authelia
Forward Auth Mode
K8s Helm Support
Zero Knowledge (No DB like in Authelia)
Rich AuthN
Ease of configuration - I was up and running, working great within an hour!
Thanks for sharing this. I tested it with kubernetes-mcp-server and works great.
I use pocket id directly with service that handles oidc, and put all others behind a pomerium reverse proxy that will handle oidc auth before giving access to the service.
I think ztna deployments are in a minority tho. Of course there aRe some companies doing creative things like combining IAM and Access control, for example POMERIUM.
I don’t see a lot of cool stuff on Reddit lately. This, is cool and useful. Nice job
I like Pomerium because it’s a simple yaml to setup, no additional web server needed.
I can recommend Pomerium. We use it as identity aware proxy to protect HTTP endpoints either with Keycloak or Google as respective IDP. Works perfectly fine.
Check out Pomerium. It's a reverse proxy that enforces policy for every request…Pretty slick. Keeps it simple and gives you what you're looking for I think…
That looks amazing, opens up a ton of possibilties for the company i am in. Good work.
Nice :) I've been using pocketid with pomerium and it's been great. Thanks for all the good work!
But after setting this up, replacing my old Traefik without any auth with Pomerium + PocketId (as OIDC), I must say this is a fantastic and comfy setup.
Pomerium has been smooth, easy and nails the final security measures I wanted in the lab. Very excited to expand it to my VPSs’ and other servers.
Just recently found this, wanted to say great job. Pretty much exactly what I've been looking for.
I use Pomerium, and Pangolin is nice too... I like having reverse proxy ans auth handled by a single tool
I use pomerium core. Its an identity aware reverse proxy. It gives you authentication (with your preferred solution) as well as authorization.
One option is to use an MCP gateway that can manage individual users upstream oauth keys, check out https://github.com/pomerium/mcp-app-demo
Interesting, will check it out. Had to make something very similar to this about a month ago. Looks good.
Pomerium Core. Simple yaml config, OIDC redirect like authelia and such but easier to setup. Fantastic reverse proxy.
I’m really enjoying it, it’s an awesome piece of software. It honestly feels like a future of doing user and access control for my home lab.
I personally think Pomerium is the most versatile and powerful solution out there, especially if you are on Kubernetes or even Docker.
There are several competitors that can auth against almost any type of SSO. Pomerium is the one I’ve been enjoying most recently
Have you tried Pomerium? Clientless access reverse proxy. Zero trust self-hosted setup, so no gray area like "Changes to a tailnet that were initiated by a request to Tailscale’s support team are currently not included."
Since you said "more secure" is a requirement, I highly recommend shifting away from any hosted solution. Third-party compromise is a real attack vector. Cloudflare recently experienced that when Okta's breach spilled over to them.
Use Pomerium.
Pomerium is awesome.
UNBELIEVABLE.. Nobody mentioned POMERIUM yet. What's going on? I recently discover them a few months back, and it seems to me they are the only ones rightfully aligning with the inevitable ZTNA future!!! What am I missing? are they not big enough? not mainstream? Are there others improving IAM? they seem to be IAM+ or IAM on steroids.
I started with nginx proxy manager since I didn't have patience to manually edit nginx configs and tried using authelia with it, failed. Then Keycloak, same. Then I've found Pomerium and I've been using it ever since. Has everything I need out of the box and it hot reloads when you save a config
I use cloudflared + pomerium core
Awesome find, exactly what I was looking for.
I went a step further and I use pomerium reverse proxy. I chose pomerium, for yaml config making it dead simple, and the ability to add SSO before accessing any service. Basically doing what Authentik or Authelia does but easier to setup and manage. This lets me secure anything behind SSO.
You might want to check out Pomerium. It acts as an identity-aware proxy and supports Keycloak and others. Super easy to run and centrally handles authentication and authorization so you can plug all your dashboards into it and get that global login vibe. Pretty cool project, worth a look
Pomerium is open source, I'd recommend that first
This is really cool - just what I have been looking for!
Instead of using a lot of oath2-proxys you could use pomerium instead. Pomerium has its own policy's you can apply to the url. So Instead of having a oath2-proxy for every point that needs privilege separation you can just use one pomerium instance and create access policy's in it.
Here’s how I approach it Nextcloud is in a VM itself. I have another VM that runs Pomerium, a reverse proxy with simple sign on support, inside of a docker container. I use certbot-cloudflare docker to pull my certs. I have cloudflare setup with edge certs so it’s fully verified.
I’ve mostly moved to Komodo + pomerium with Nextcloud as my IDM.
One major thing I like about Pomerium is the Authorization support.
Pomerium reverse proxy. Yaml configured reverse proxy with built in SSO support to sit in front of any service. Dead simple compared to authelia et. al. I use Nextcloud as my OIDC IDM. Major SAF improvement by having SSO for everything.
Have you checked out Pomerium? The proxy issues a signed JWT for reach request w/ claims in headers instead of using a broad OAuth token. Just got my homelab all setup with it. Pretty straightforward.
Pomerium. Dead simple yaml configuration, built in SSO through any IDP.
Came here to learn how to secure AdGuard with a Pomeranian. Left confused.
I use PocketID. The key is to use something like Pomerium as a proxy and use that to enforce SSO…For other apps, I use their SSO integrations and configure it to re-use the credentials for Pomerium
I went with Pomerium for the following reasons
Many IDPs. vs. LDAP or File like in Authelia
Forward Auth Mode
K8s Helm Support
Zero Knowledge (No DB like in Authelia)
Rich AuthN
Ease of configuration - I was up and running, working great within an hour!
Thanks for sharing this. I tested it with kubernetes-mcp-server and works great.
I use pocket id directly with service that handles oidc, and put all others behind a pomerium reverse proxy that will handle oidc auth before giving access to the service.
I think ztna deployments are in a minority tho. Of course there aRe some companies doing creative things like combining IAM and Access control, for example POMERIUM.
I don’t see a lot of cool stuff on Reddit lately. This, is cool and useful. Nice job
I like Pomerium because it’s a simple yaml to setup, no additional web server needed.
I can recommend Pomerium. We use it as identity aware proxy to protect HTTP endpoints either with Keycloak or Google as respective IDP. Works perfectly fine.
Check out Pomerium. It's a reverse proxy that enforces policy for every request…Pretty slick. Keeps it simple and gives you what you're looking for I think…
That looks amazing, opens up a ton of possibilties for the company i am in. Good work.
Nice :) I've been using pocketid with pomerium and it's been great. Thanks for all the good work!
But after setting this up, replacing my old Traefik without any auth with Pomerium + PocketId (as OIDC), I must say this is a fantastic and comfy setup.
Pomerium has been smooth, easy and nails the final security measures I wanted in the lab. Very excited to expand it to my VPSs’ and other servers.
Just recently found this, wanted to say great job. Pretty much exactly what I've been looking for.
I use Pomerium, and Pangolin is nice too... I like having reverse proxy ans auth handled by a single tool
I use pomerium core. Its an identity aware reverse proxy. It gives you authentication (with your preferred solution) as well as authorization.
One option is to use an MCP gateway that can manage individual users upstream oauth keys, check out https://github.com/pomerium/mcp-app-demo
Interesting, will check it out. Had to make something very similar to this about a month ago. Looks good.
Pomerium Core. Simple yaml config, OIDC redirect like authelia and such but easier to setup. Fantastic reverse proxy.
I’m really enjoying it, it’s an awesome piece of software. It honestly feels like a future of doing user and access control for my home lab.
I personally think Pomerium is the most versatile and powerful solution out there, especially if you are on Kubernetes or even Docker.
There are several competitors that can auth against almost any type of SSO. Pomerium is the one I’ve been enjoying most recently
Pomerium operates at Layer 7, so it can authenticate and authorize every individual request, not just open a connection. Layer 4 tools only see that traffic flowed; they can't enforce per-request policy.
SSO confirms identity at login but stops there. Pomerium adds continuous authorization, evaluating identity, device posture, and context on every request, not just at session start.
Pomerium re-evaluates user context (identity, device, location, groups) on every single request. If anything changes mid-session, access is revoked instantaneously, no waiting for token expiry.
Networks control where traffic flows, not who accesses what. Pomerium replaces IP-based rules with identity-and-context-aware access control at the resource level, limiting lateral movement.
Pomerium sits between AI agents and tools, enforcing per-request identity, tool-level authorization, and full audit logging, so agents never hold credentials and every action and access to each tool call is fully controlled and managed by policy.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
