Stay up to date with Pomerium news and announcements.
Pomerium v0.29.0 brings major enhancements to secure access and user experience. This release focuses on improved observability, expanded support for non-HTTP protocols, and a more user-friendly access portal, alongside critical authentication and policy improvements. From unified OpenTelemetry tracing to identity-aware UDP tunneling, Pomerium v0.29.0 makes it easier to monitor, connect, and manage your infrastructure. This release also includes performance optimizations, developer-focused refinements, and important breaking changes to be aware of when upgrading.
One of the most visible additions in v0.29.0 is the Routes Portal, a user-facing homepage that lists all the applications and services you have access to. This portal provides an “app dashboard” experience so end-users can easily discover and navigate to internal services without needing to remember URLs.
Automatic App Listing: Pomerium now exposes a new HTML page that displays each accessible route as a card. Once logged in, users can visit the portal and see all the services they are authorized to access.
Quick Access & CLI Hints: Each app card provides a direct link to launch the service through Pomerium. For non-web services, the portal shows connection instructions (e.g. a one-liner for pomerium-cli or a button to auto-import the endpoint into the Pomerium Desktop app) so users know how to connect for SSH, RDP, etc.
Names, Descriptions, and Logos: Route configuration now includes optional name, description, and logo fields displayed on the portal. This allows admins to add descriptive titles, friendly names, and logos (or automatically fetched favicons) for each service, making them easily identifiable by users.
The Routes Portal requires no additional setup—just upgrade to v0.29.0 and it’s available at Pomerium’s user dashboard path. Admins: to make the most of it, consider updating your route configs with user-friendly names and any available logos. (You can even theme the portal via our branding settings as before.)
Identity-Aware UDP Tunneling
Pomerium has long supported tunneling TCP connections; now in v0.29.0 it adds full support for UDP traffic. This unlocks identity-aware access for non-HTTP protocols that use UDP, such as DNS, syslog, gaming or VoIP services. Just like with TCP, you can enforce SSO authentication and authorization policy on UDP streams using Pomerium’s reverse proxy.
UDP Routes: Define routes with udp+https:// in the From URL and udp:// in the To URL to proxy UDP traffic. Pomerium uses the standard CONNECT-UDP mechanism under the hood (as defined in HTTP/3 and Proxy protocols), so UDP is encapsulated over an HTTPS tunnel. There are no special HTTP settings needed for UDP routes.
Use Cases: Secure DNS queries by tunneling them through Pomerium, protect internal services that communicate over UDP, or replace VPN setups for UDP-based protocols. For example, you can route DNS traffic from udp+https://dns.corp.example.com to your internal DNS server, gating it on user identity and group membership.
Client Support: The latest Pomerium CLI supports UDP tunnels out-of-the-box. For instance, to use a UDP-based service, run pomerium-cli udp <service-address:port>. In one line you can securely proxy DNS:
If you aren’t already signed in, the CLI will prompt your browser for SSO login and then establish the tunnel.
This feature brings zero-trust security to UDP protocols with the same ease as HTTP. See our Non-HTTP Protocols guide for configuration examples and best practices (e.g. minimizing latency by deploying Pomerium close to users).
OpenTelemetry Tracing for Unified Observability
Pomerium v0.29.0 introduces a newOpenTelemetry (OTEL) based tracing system, replacing all previously supported tracing providers. This is a breaking change, and users should refer to the upgrade guides for details on configuring OpenTelemetry tracing. This means you can now seamlessly trace requests across Pomerium’s services (Proxy, Authenticate, Authorize, etc.) using standard OpenTelemetry tooling. By adopting OTEL, Pomerium makes it easier to integrate with your choice of tracing backend (Jaeger, Zipkin, Tempo, Honeycomb, etc.) via the industry-standard OTLP protocol.
End-to-End Request Visibility: Every request through Pomerium can be traced end-to-end, even as it flows through multiple services. This provides deep insight into latencies and failures in your access workflows.
Unified Configuration: Instead of separate configs for Jaeger/Datadog/Zipkin, you now configure tracing once (specifying the OTLP endpoint and options) and use any OpenTelemetry-compatible collector or SaaS. This simplifies setup and eliminates vendor-specific code.
Low Overhead, High Value: The new tracer improves how spans are propagated and sampled. Even at low sample rates, you’ll get more useful distributed trace data with clearer context across services.
For details on enabling tracing and sending it to your telemetry backend, refer to our documentation on tracing configuration. By default, tracing is disabled; to get started, point Pomerium to your OpenTelemetry collector or endpoint and set an appropriate sample rate.
HTTP/3 Support for Faster Connectivity
Continuing our commitment to modern protocols, Pomerium v0.29.0 adds HTTP/3 support. Clients can now connect to Pomerium services using HTTP/3 (which uses QUIC under the hood) for improved performance on networks with high latency or packet loss.
Automatic HTTP/3 Enablement: If your environment and clients (browsers or apps) support HTTP/3, Pomerium will automatically advertise and accept HTTP/3 connections. This can reduce page load times and improve reliability for remote users. No additional configuration is required to benefit from HTTP/3 – it works alongside existing HTTP/1.1 and HTTP/2 support.
With HTTP/3, end-users may notice snappier access to apps, especially over VPNs or mobile networks. This change is largely behind-the-scenes; Pomerium will negotiate the best protocol supported by the client.
Granular JWT Group Filtering
For organizations using JWT assertion and pass-through, Pomerium v0.29.0 introduces JWT group filtering to give administrators control over which group membership claims are included in issued JWTs. This addresses scenarios where a user may belong to dozens or hundreds of groups, which can bloat the JWT (and corresponding HTTP headers) and potentially cause issues with upstream services.
Global or Per-Route Filtering: You can now specify a filter to include only certain groups in the JWT’s “groups” claim. This can be configured globally (to apply to all routes) and overridden per route if needed. By whitelisting only relevant group IDs–or by using an allow list of group names–you ensure the JWT contains only the information your applications actually need.
Smaller, Safer Tokens: Filtering out extraneous group claims keeps JWT size manageable and prevents headers from exceeding size limits. It also marginally improves security by not disclosing all of a user’s group memberships to every upstream app or service.
Integrity Preserved: Pomerium maintains the JWT signature and required fields, so filtering groups will not break token verification. If a user does not belong to any included groups, the “groups” claim will be an empty list (instead of null) to maximize compatibility with JWT libraries.
This feature is especially useful in enterprise environments with complex directory structures. Configure the allowed groups via Pomerium’s settings (JSON config or Enterprise Console) under the JWT Groups Filter options. By tailoring group claims, you make identity data more concise and relevant for each application.
Direct IdP Token Authentication
Pomerium v0.29.0 adds the ability to authenticate users using an Identity Provider’s access token directly, without a full OAuth browser redirect flow. In this initial release, we support Azure AD OAuth access tokens for direct authentication. We're interested in hearing from the community about which other IdPs you'd like to see supported in the future!
What does this mean? If a user or service has already obtained a valid access token from Azure Active Directory, they can present it to Pomerium to gain access, rather than going through the usual login redirect. Pomerium will validate the token with the IdP and create a session for the associated user.
Streamlined CLI and Service Auth: This feature is great for command-line tools and automated workflows. For example, a developer who has run az login (Azure CLI) and has an access token can use that token to authenticate with Pomerium via an Authorization: Bearer <token> header or through the Pomerium CLI. This avoids needing a browser during CLI use, making automation smoother.
Use Existing Tokens: In scenarios where another system has already obtained a user token (for instance, an external authenticator or a device that can’t easily do interactive logins), Pomerium can now accept that token directly. This opens up integration possibilities where Pomerium acts as a resource server in an OAuth flow.
Secure Validation: Pomerium verifies the token’s signature and claims with the IdP (ensuring it’s not expired, issued for the correct client, etc.) before trusting it. Only tokens from configured, trusted IdPs are accepted. In v0.29.0, Azure AD is the focus, but future updates may expand direct token support to other providers.
Direct IdP token auth is an opt-in capability – you’ll need to configure Pomerium to recognize and trust these tokens (for Azure AD, this might include setting the OAuth client ID that tokens are issued for, etc.). Refer to our documentation on service accounts and programmatic access for guidance on using this feature. This enhancement makes Pomerium even more flexible in hybrid environments where not all clients are web browsers.
Terraform Provider
Pomerium Enterprise now supports comprehensive configuration through the official Terraform provider. Users can fully define and manage routes, policies, namespaces, service accounts, and general settings entirely within their Terraform plans.
Users can now fully bootstrap Pomerium Proxy using Terraform, eliminating the need for manual or interactive configuration via the Enterprise UI. This enhancement streamlines infrastructure-as-code practices, facilitating automated deployments and management workflows.
Simplified Automation: Full Terraform support enables automation and integration with existing CI/CD pipelines.
Reproducible Configuration: Enhances consistency and reproducibility of deployments.
Declarative Configuration: Enables efficient, declarative management of complex access policies and configurations.
External References: Allows dynamic reference to external entities such as IdP users and groups that you manage in the Terraform.
Other Enhancements and Notable Changes
In addition to the headline features above, Pomerium v0.29.0 comes with a host of improvements, fixes, and internal changes. Here are a few highlights:
Hot Reload via SIGHUP: You can now trigger Pomerium to reload its configuration by sending a SIGHUP signal to the process. This allows applying config changes (like policy updates) without a full restart, minimizing downtime.
Policy Language Updates: The Pomerium Policy Language (PPL) gained new not and exclude operators for more expressive policy definitions. These make it easier to write rules like “allow all except X” or exclude specific groups/domains in a policy.
Performance Improvements: We’ve optimized directory group lookups by introducing caching to avoid slow queries, and eliminated redundant session creations when the same IdP token is re-used. These changes reduce latency and load in large deployments.
Developer QoL Fixes: Authorization failures can now return JSON error responses (instead of HTML) when the request comes from an API client (making gRPC and programmatic use smoother). We also tidied up config behavior (e.g. only generating fallback certificates when absolutely needed to avoid false vulnerability flags) and made internal refactors to improve memory usage and startup time.
Breaking Changes: Note that the switch to OpenTelemetry for tracing removes the old tracing configuration keys (such as tracing_provider). If you upgrade, you’ll need to update your config to the new OTEL settings. Be sure to consult the release notes and upgrading guide for all breaking changes before deploying v0.29.0 in production.
Pomerium v0.29.0 is a significant step forward in capability and usability. We’re excited about how these features empower you to secure more types of traffic and give your users a smoother experience. As always, we thank our community and contributors for their feedback and contributions to this release.
Upgrade with care (make backups, test in staging!) and then enjoy the new features. For a full list of changes, check out the changelog on GitHub which includes all fixes and dependency updates.
Thank you for your ongoing support, and happy upgrading!
