What's New?

Pomerium can now protect UDP-based services with the same identity-aware access controls you use for web apps. In v0.29.0, you’re able to tunnel UDP traffic over HTTP, enforcing who can access your UDP services. This means you can secure things like DNS servers, game servers, and other UDP apps without a VPN.

Highlights:

• UDP over HTTPS – Pomerium uses HTTP/3 datagram support (MASQUE’s CONNECT-UDP) under the hood to forward UDP packets securely. No modifications to your UDP applications are required.

• Consistent policy enforcement – Apply Pomerium’s access policies to UDP routes just like HTTP routes. If a user isn’t authorized, their UDP traffic won’t go through.

• Easy client access – Use the pomerium-cli or Pomerium Desktop to connect. For example, pomerium-cli udp myservice.corp.example:1234 spins up a local proxy for your UDP app.

• Works with any UDP service – Protect game servers, database UDP ports, time servers, or any custom UDP protocol with identity-based authentication and logging, bringing zero trust to new protocols.

See the docs, and factorio and dns examples for more information!

v0.29.0 adds support for HTTP/3, so connections to Pomerium can now use the latest web transport protocol. HTTP/3 (built on QUIC) brings speed and reliability improvements that your users will benefit from automatically:

• Faster handshakes – QUIC’s efficient connection setup means quicker initial load times, especially on high-latency networks.

• Improved performance – Eliminates head-of-line blocking issues present in HTTP/2. Multiple requests can fly in parallel without one slow request holding up others.

• Resilience – Connections are more robust to packet loss, and session resumption is faster, making Pomerium feel snappier on spotty networks (e.g. mobile).

• Transparent enablement – Pomerium will negotiate HTTP/3 with clients that support it (while seamlessly falling back to HTTP/2 for others). No special configuration needed — just upgrade and enjoy the throughput boost.

Pomerium’s tracing is now powered by OpenTelemetry, making it easier to plug into your existing observability stack. With industry-standard tracing, you get deeper insight into every request that flows through Pomerium. Key improvements include:

• Seamless integration – Export Pomerium trace data to your favorite monitoring tools (Jaeger, Datadog, Honeycomb, etc.) without custom adapters.

• End-to-end visibility – Each Pomerium service generates standardized spans, so you can follow a user’s journey across authenticate, proxy, envoy, and authorize components in one trace.

• Easier debugging – Quickly pinpoint performance bottlenecks or errors in request handling with the rich context provided by OpenTelemetry spans.

All of this works out of the box in v0.29.0—just configure your tracing backend of choice and you’re good to go.

Pomerium Enterprise now supports comprehensive configuration through the official Terraform provider. Users can fully define and manage routes, policies, namespaces, service accounts, and general settings entirely within their Terraform plans.

Users can now fully bootstrap Pomerium Proxy using Terraform, eliminating the need for manual or interactive configuration via the Enterprise UI. This enhancement streamlines infrastructure-as-code practices, facilitating automated deployments and management workflows.

• Simplified Automation: Full Terraform support enables automation and integration with existing CI/CD pipelines.

• Reproducible Configuration: Enhances consistency and reproducibility of deployments.

• Declarative Configuration: Enables efficient, declarative management of complex access policies and configurations.

• External References: Allows dynamic reference to external entities such as IdP users and groups that you manage in the Terraform.

For more details, check out the official Configure with Terraform documentation.

Tired of bloated JWTs or exposing too much group information? Pomerium v0.29.0 gives you control over which user groups get embedded in the JWT token that it mints for upstream services. By including only the groups you care about, you can slim down tokens and limit what data gets shared. Highlights:

• Trim down token size – Some users belong to hundreds of groups, which can make the JWT payload large which can break application and server header limits. Now you can include just a subset of groups (for instance, only groups used in policy checks or with a certain prefix), avoiding hitting header size limits and improving performance.

• Per-route or global settings – Set a global default filter for JWT group claims, and override on specific routes as needed. This flexibility lets you expose broad group info to services that need it, while limiting it for others.

• Privacy by design – Only divulge the group context that’s necessary. Internal apps don’t get a long list of every group a user is in—just the ones you’ve deemed relevant.

• Simpler downstream logic – Upstream applications no longer have to handle extraneous group data. They can trust that the groups claim in the JWT is already curated to what they expect, making authorization checks more straightforward.

In short, this feature helps you send cleaner, leaner JWTs to your services without sacrificing the rich identity context Pomerium provides. It’s especially handy for organizations with complex directory structures, ensuring that Pomerium’s tokens stay efficient and purposeful.

Building on Pomerium’s authentication capabilities, v0.29.0 introduces the ability to forward downstream Identity Provider (Entra, OIDC, etc)  tokens directly to upstream services. In short, you can now optionally have Pomerium authenticate your APIs and applications using the original IdP-issued token (such as an OAuth access token or OpenID Connect ID token) instead of Pomerium’s JWT. Why is this useful?

• Seamless backend integration – If your upstream service or API expects an IdP’s bearer token, Pomerium can provide it. Your apps can verify the token as if the user logged in directly, enabling out-of-the-box compatibility with systems that already know how to handle your IdP tokens.

• Configurable per route – You can toggle this behavior on routes that need it. For example, for an API service that performs its own token introspection with the IdP, simply enable “IdP token pass-through” and Pomerium will pass along the user’s access token in the Authorization header.

• No custom glue code – This eliminates the need for awkward workarounds or custom middleware. Pomerium handles the secure exchange with the IdP, then transparently forwards the token upstream.

• Keeps zero-trust principles – Pomerium still gatekeeps the initial authentication and authorization. The IdP token is only forwarded after Pomerium has verified and allowed the request. You get the convenience of direct IdP token use without exposing unsecured endpoints.

This feature is perfect for service-to-service scenarios and integrations where Pomerium acts as an authentication broker, simplifying access to APIs.

Navigating to your internal applications just got easier. Routes Portal is a new user interface that lists all the routes (apps and services) you have access to, all in one place. After logging in through Pomerium, users can be presented with a portal page showing available resources, making access more intuitive.

Here’s what it offers:

• Single landing page – Upon sign-in, users see a dashboard of all their authorized routes. No more remembering a bunch of URLs; just click the service you need from the list.

• Quick access – Each route is one click away. The portal displays application names (and can show icons or descriptions, if configured) for easy identification.

• Dynamic updates – The list reflects the user’s current access rights. As soon as an admin adds or removes access, the portal updates to show the correct set of resources.

• Better user experience – Especially in organizations with dozens of internal apps be they HTTP, TCP or UDP, the Routes Portal serves as a friendly “app launcher” homepage for your infrastructure. Users can navigate confidently, which means fewer support questions about “Where do I go to access X?”.

No setup required — enable the Routes Portal feature, and Pomerium will automatically present it to your users after authentication.

We're thrilled to launch Pomerium v0.29.0, packed with features to improve secure access, user experience, and operational insights for your infrastructure. 

This release introduces:

• Routes Portal: An intuitive "app dashboard" for end-users to easily discover and access their authorized services.

• Identity-Aware UDP Tunneling: Extend Pomerium's Zero Trust enforcement to critical UDP-based protocols like DNS, syslog, and internal tools.

• OpenTelemetry Tracing: Standardize observability with OTEL for end-to-end visibility across Pomerium services (Note: This is a breaking change from previous tracing methods).

• HTTP/3 Support: Leverage the performance benefits of QUIC for faster and more resilient connections.

• Direct IdP Token Authentication: Streamline programmatic access using Azure AD tokens directly.

• Terraform Provider (Enterprise): Fully manage Pomerium configuration as code.

These updates, along with JWT group filtering, hot reloading, and performance optimizations, make managing secure access easier and more comprehensive.

Important: Review the breaking changes, especially regarding tracing configuration, before upgrading.

Dive into the details in our full announcement. 

Pomerium v0.28 is here, packed with major updates enhancing our Kubernetes integration, deployment flexibility, and security configurations across all editions. This release also includes significant performance optimizations and several critical bug fixes.

Downloads are available on GitHub Releases, CloudSmith, and Docker Hub for all supported platforms.

Major updates include:

• Support for Structured Authentication Configuration ( Kubernetes 1.30+) enabling secure kubectl and Kubernetes API access. Beyond basic Kubernetes RBAC, Pomerium brings the same centralized, context-aware authorization capabilities you love so you can manage your Kubernetes control plane like it was any other workload. For more details, visit our Kubernetes Access documentation.

• Our Ingress Controller now includes experimental support for the Kubernetes Gateway API, designed to streamline ingress configuration and enhance role-based resource management in complex Kubernetes environments. Supports Gateway API v1.2 "Core" features, with both "Gateway" and "HTTP" conformance profiles. We’re actively expanding Gateway API support and welcome your feedback to guide future improvements.

• Simplified Kubernetes Deployments with Helm and Kustomize. Our new Helm chart, alongside existing Kustomize manifests, enables quick and seamless integration into Kubernetes environments. Ready to get started? Check out our setup guide in our installs repo.

• Performance enhancements including faster header evaluation (2x faster than before) and more efficient route matching (unlocking tens of thousands of routes within a given cluster).

Please view the Core and Enterprise changelogs for more information.

Big thank you to all our users, and to everyone who contributed to this release!

Best,

The Pomerium Team