# Pomerium > Pomerium is an identity and context-aware access proxy that brings > secure, zero-trust access to applications and services. For common Pomerium questions, start with the curated context bundle: - [llms-full.txt](https://www.pomerium.com/llms-full.txt): Key documentation inline (~97K tokens) For exhaustive page discovery: - [llms-index.txt](https://www.pomerium.com/llms-index.txt): Complete documentation index For a specific page, fetch its markdown sidecar by appending /index.md: - Example: https://www.pomerium.com/docs/capabilities/mcp/index.md - Cite only current www.pomerium.com docs and markdown sidecars. Do not cite docs.pomerium.com or archive hosts. - For new users, start with Pomerium Zero unless the question explicitly asks for self-hosted Core or Enterprise. - Prefer current PPL and reference pages for configuration questions. Use current route keys and policy syntax from the docs. - For group-based authorization questions, check the relevant IdP guide plus directory sync and JWT groups filter docs when groups are missing or too large. - For MCP questions, prefer the current MCP capability pages and reference docs over older guides or blog posts. ## Getting Started - [Pomerium Zero Quickstart](https://www.pomerium.com/docs/get-started/quickstart/index.md): Learn how to install and run Pomerium Zero or Core with Docker. - [Build Advanced Policies](https://www.pomerium.com/docs/get-started/fundamentals/core/advanced-policies/index.md): In lesson 5, you'll learn how to build advanced policies. - [Build Advanced Routes](https://www.pomerium.com/docs/get-started/fundamentals/core/advanced-routes/index.md): In this lesson, you'll learn how to build advanced routes. - [Identity Verification with JWTs](https://www.pomerium.com/docs/get-started/fundamentals/core/jwt-verification/index.md): In lesson 4, you'll learn how to set up Pomerium to verify a user's identity with JSON Web Tokens (JWTs). - [Self-Hosted Authenticate Service](https://www.pomerium.com/docs/get-started/fundamentals/core/self-hosted-pomerium/index.md): In this tutorial, you'll learn how to self-host the Pomerium Authenticate service. - [Build TCP Routes](https://www.pomerium.com/docs/get-started/fundamentals/core/tcp-routes/index.md): In this lesson, you'll secure TCP connections to SSH, Postgres, and Redis services with Pomerium. - [Advanced Policies](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-advanced-policies/index.md): Build advanced authorization policies in Pomerium Zero using chained policy blocks, operators, criteria, and matchers. - [Advanced Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-advanced-routes/index.md): Configure advanced route settings in Pomerium Zero including headers, path matching, path rewriting, and more. - [Build Policies](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-build-policies/index.md): Learn how policies work in Pomerium Zero. You'll build a simple authorization policy that protects access to Grafana. - [Build Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-build-routes/index.md): In this guide, learn how to configure a route in Pomerium Zero that secures an instance of Grafana. - [Single Sign On](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-single-sign-on/index.md): Set up single sign-on in Pomerium Zero by forwarding JWTs as identity headers to upstream services like Grafana. - [TCP Routes](https://www.pomerium.com/docs/get-started/fundamentals/zero/zero-tcp-routes/index.md): Proxy TCP and SSH connections through Pomerium Zero using Pomerium CLI to secure non-HTTP services. ## Deployment - [Run Pomerium Enterprise With Docker](https://www.pomerium.com/docs/deploy/enterprise/quickstart/index.md): Demo Pomerium Enterprise - [Kubernetes Quickstart](https://www.pomerium.com/docs/deploy/k8s/quickstart/index.md): Deploy Pomerium Core to a Kubernetes cluster using the Pomerium Ingress Controller and hosted authenticate service. - [Pomerium Core (Self-managed)](https://www.pomerium.com/docs/deploy/core/index.md): Learn how to obtain, configure, and run the open-source Pomerium server through pre-built binaries, Linux packages, Docker images, or building from source. - [Pomerium Ingress Controller for Kubernetes](https://www.pomerium.com/docs/deploy/k8s/ingress/index.md): Configure routes, policies, and TLS settings using the Pomerium Ingress Controller for Kubernetes. - [Install](https://www.pomerium.com/docs/deploy/enterprise/install/index.md): Install Pomerium Enterprise Console alongside Pomerium Core using Docker, Kubernetes, or system packages. ## Configuration and Reference - [Google Cloud Serverless Authentication Service Account](https://www.pomerium.com/docs/reference/google-cloud-serverless-authentication-service-account/index.md): Manually set Google Cloud Serverless Authentication Service Account credentials with this setting. - [Enable Google Cloud Serverless Authentication](https://www.pomerium.com/docs/reference/routes/enable-google-cloud-serverless-authentication/index.md): Send signed authorization headers to upstream GCP services like Cloud Run, Cloud Functions, and App Engine. - [Allow Any Authenticated User](https://www.pomerium.com/docs/reference/routes/allow-any-authenticated-user/index.md): Allow access to any user or service account that authenticates against your identity provider, bypassing policy. - [Authorize Log Fields](https://www.pomerium.com/docs/reference/authorize-log-fields/index.md): Use Authorize Log Fields to display HTTP request logs from the authorize service. - [Identity Provider Settings](https://www.pomerium.com/docs/reference/identity-provider-settings/index.md): Configure and self-host your own Identity Provider with Pomerium's Identity Provider settings. - [JWT Groups Filter](https://www.pomerium.com/docs/reference/jwt-groups-filter/index.md): The JWT Groups Filter setting allows you to reduce the size of the groups claim in the Pomerium JWT. - [JWT Groups Filter (per route)](https://www.pomerium.com/docs/reference/routes/jwt-groups-filter/index.md): The JWT Groups Filter setting allows you to reduce the size of the groups claim in the Pomerium JWT. - [Metrics Settings](https://www.pomerium.com/docs/reference/metrics/index.md): Configure metrics settings in Pomerium. - [Public Access](https://www.pomerium.com/docs/reference/routes/public-access/index.md): Grant unauthenticated public access to an upstream service by bypassing Pomerium authentication and authorization. ## Advanced Capabilities - [Authentication and Single Sign-On (SSO)](https://www.pomerium.com/docs/capabilities/authentication/index.md): Learn how Pomerium provides identity verification, authentication, and single-sign on to all services it manages. - [Authorization and Policy Enforcement with Pomerium](https://www.pomerium.com/docs/capabilities/authorization/index.md): Learn how Pomerium enforces context-aware, continuous authorization using route-level policies, namespaces, device-based constraints, and more. - [Routing, Proxying, and Load Balancing with Pomerium](https://www.pomerium.com/docs/capabilities/routing/index.md): How to get Pomerium's CLI which be used to proxy TCP services and kubernetes commands - [Continuous Identity Verification at the Application Layer](https://www.pomerium.com/docs/capabilities/getting-users-identity/index.md): Learn how Pomerium uses JWTs for identity and context verification, how it fits into a zero trust environment, and four ways to validate the JWT in your upstream service. - [Kubernetes `kubectl` Integration](https://www.pomerium.com/docs/capabilities/kubernetes-access/index.md): This article describes Pomerium's integration with the Kubernetes API Server - [Native SSH Access](https://www.pomerium.com/docs/capabilities/native-ssh-access/index.md): Secure SSH access with OAuth authentication and ephemeral certificates - [Tunneling Non-HTTP Protocols](https://www.pomerium.com/docs/capabilities/non-http/index.md): Consolidated documentation for using Pomerium to protect and access non-HTTP protocols (TCP and UDP) over HTTP. - [Service Accounts](https://www.pomerium.com/docs/capabilities/service-accounts/index.md): Create and manage service accounts for machine-to-machine authentication between services protected by Pomerium. ## Integrations and Guides - [Auth0](https://www.pomerium.com/docs/integrations/user-identity/auth0/index.md): Configure Auth0 as an identity provider for Pomerium Core and Enterprise. - [Microsoft Entra ID (formerly Azure Active Directory)](https://www.pomerium.com/docs/integrations/user-identity/azure/index.md): Learn how to configure Microsoft Entra ID (formerly known as Azure Active Directory) as an identity provider that works with Pomerium Core and Enterprise. - [Secure Code-Server with Pomerium Zero](https://www.pomerium.com/docs/guides/code-server/index.md): In this guide, you'll run code-server VSCode in a Docker container and secure browser access to your project behind Pomerium. - [Directory Sync](https://www.pomerium.com/docs/integrations/user-standing/directory-sync/index.md): Directory Sync in Pomerium Enterprise allows you to import organizational directory data and external data sources you can use in authorization policies. - [Google Workspace (formerly known as G Suite)](https://www.pomerium.com/docs/integrations/user-identity/google/index.md): Configure Google Workspace as an identity provider for Pomerium with OAuth 2.0 and directory sync. - [Securing Grafana with Pomerium](https://www.pomerium.com/docs/guides/grafana/index.md): This guide covers how to use Pomerium to authenticate and authorize users of Grafana. - [Run Jenkins with Docker](https://www.pomerium.com/docs/guides/jenkins/index.md): Secure Jenkins by adding JWT authentication with Pomerium. - [Keycloak + Pomerium: Configuring an Identity-Aware Proxy](https://www.pomerium.com/docs/integrations/user-identity/keycloak/index.md): Learn how to set up Keycloak as your OpenID Connect (OIDC) provider and integrate it with Pomerium for a secure, identity-aware proxy configuration. - [Self-Hosted LLM Behind Pomerium](https://www.pomerium.com/docs/guides/llm/index.md): Secure a self-hosted LLM web interface (Open WebUI) behind Pomerium. - [Securing Local MCP Servers](https://www.pomerium.com/docs/guides/local-mcp/index.md): Learn how to create a local MCP server, secure it with Pomerium, and connect it to ChatGPT. - [Okta](https://www.pomerium.com/docs/integrations/user-identity/okta/index.md): Configure Okta as an identity provider for Pomerium with OIDC and directory sync. - [Pomerium Zero Native SSH Configuration Guide](https://www.pomerium.com/docs/guides/zero-ssh/index.md): Learn how to configure native SSH access with Pomerium Zero. ## API and Internals - [Configuration & Settings](https://www.pomerium.com/docs/internals/configuration/index.md): Optimize your Pomerium deployment with flexible configuration for all-in-one or split-service modes, including environment variables, route reloading, scaling, and more. - [Policy Language](https://www.pomerium.com/docs/internals/ppl/index.md): Learn how to use Pomerium Policy Language to build context-aware authorization policies for routes. - [Troubleshooting](https://www.pomerium.com/docs/internals/troubleshooting/index.md): Learn how to troubleshoot common configuration issues or work around any outstanding bugs. ## Model Context Protocol (MCP) - [Delegate MCP Access to an LLM](https://www.pomerium.com/docs/capabilities/mcp/delegate-mcp-to-llm/index.md): Let AI agents call MCP servers on a user behalf — via a client application with token delegation or via service accounts for headless agents in CI. - [Limit MCP Tool Calling](https://www.pomerium.com/docs/capabilities/mcp/limit-mcp-tools/index.md): Use Pomerium Policy Language (PPL) to control which MCP tools users can call, with deny-based block lists and allowlists. - [Model Context Protocol (MCP) Support](https://www.pomerium.com/docs/capabilities/mcp/index.md): Secure access to Model Context Protocol servers through Pomerium, enabling AI agents to safely interact with internal resources via standardized interfaces. - [MCP + Upstream OAuth](https://www.pomerium.com/docs/capabilities/mcp/mcp-upstream-oauth/index.md): Bridge MCP servers that have their own authentication — using static OAuth2 credentials or automatic RFC 9728 discovery. - [Protect an MCP Server](https://www.pomerium.com/docs/capabilities/mcp/protect-mcp-server/index.md): Proxy an internal MCP server through Pomerium so MCP clients can access it securely. - [MCP Full Reference](https://www.pomerium.com/docs/capabilities/mcp/reference/index.md): Complete reference for Pomerium MCP support: token types, configuration options, user identity, security, observability, and policy-based tool access control. ## Non-HTTP Protocols - [Pomerium Clients for Tunneling Non-HTTP Protocols](https://www.pomerium.com/docs/deploy/clients/clients/index.md): Consolidated guide to installing Pomerium CLI/Desktop and configuring TCP+UDP routes in Pomerium. --- ## How to Use These Docs Last-Updated: 2026-03-31 This documentation is publicly available and approved for LLM training and reference. | Resource | URL | Size | Use it for | |----------|-----|------|------------| | Navigator | https://www.pomerium.com/llms.txt | ~13KB | Quick orientation and curated links | | Context bundle | https://www.pomerium.com/llms-full.txt | ~97K tokens | Key docs inline — start here for most questions | | Full index | https://www.pomerium.com/llms-index.txt | ~36KB | Exhaustive page discovery | | Individual page | Append `/index.md` to any doc URL | varies | Deep-dive on a specific topic | Cite only `www.pomerium.com` docs. Do not cite `docs.pomerium.com` or archive hosts.