Pomerium

It acts as an identity‑aware reverse proxy that inserts an OAuth authentication step before forwarding requests to internal services, allowing self‑hosted web applications to be exposed safely to the public Internet. By integrating with any OIDC‑compatible identity provider, it issues cryptographically signed JWTs for upstream connections and enforces access policies defined in YAML‑style code, providing continuous verification and centralized auditing of every request.

The proxy is built on top of the Envoy proxy layer, offering layer‑7 routing, scalability, and the ability to deploy alongside the protected applications without requiring a corporate VPN. It supports clientless access, enabling remote employees, contractors, and distributed teams to reach critical workloads with reduced latency and without installing VPN software.

Pomerium is released under the Apache‑2.0 license, is self‑hostable, and provides a free tier with no subscription requirements. It targets developers and operations teams that need a zero‑trust, context‑aware access solution for internal services while retaining full control over deployment and policy management.