Model Context Protocol (MCP) Support
Pomerium provides secure access to Model Context Protocol (MCP) servers, enabling AI agents and applications to safely interact with your internal resources through standardized interfaces.
Key Capabilities
Secure MCP Gateway
Pomerium is a secure gateway for your MCP servers. Place any internal MCP server behind Pomerium, and external clients (Claude, ChatGPT, VS Code, and others) can reach it securely. Pomerium handles authentication, authorization, TLS termination, and all the customary gateway concerns — your server stays in the internal network, never exposed directly, and focuses purely on business logic.
See Protect an MCP Server for setup instructions.
MCP Bridging
Pomerium acts as an MCP-aware bridge between your clients and remote third-party MCP servers that have their own authentication and authorization. Rather than exposing upstream credentials to each client, Pomerium sits in the middle and handles the full upstream OAuth lifecycle on the user's behalf.
When a client connects to a Pomerium-fronted MCP route, Pomerium:
- Authenticates the user through your identity provider (downstream OAuth 2.1)
- Authenticates with the upstream MCP server by managing the upstream OAuth flow — acquiring, caching, and automatically refreshing access tokens
- Enforces authorization policies on every request, including fine-grained tool-level access control
- Injects the upstream token into proxied requests transparently — your MCP server receives a valid bearer token without the client ever seeing it
This means third-party MCP servers with their own auth (GitHub, Linear, Notion, Google, and others) can be securely bridged through Pomerium. Clients authenticate once with Pomerium and never handle upstream credentials directly. Pomerium supports both static OAuth2 configuration (where you register client credentials) and automatic RFC 9728 discovery for MCP servers that advertise their own authorization requirements.
See MCP + Upstream OAuth for setup instructions.
Per-User Connection Management
Each user manages their own upstream MCP connections independently. Because different MCP servers may require separate OAuth consent (for example, a GitHub server and a Linear server), Pomerium tracks connection status per user, per route. Users can connect, disconnect, and see the status of each upstream server through Pomerium's routes portal or programmatically via the server discovery API — one user's connections never affect another's.
See Delegate MCP Access to an LLM and the MCP Full Reference for API details.
Fine-Grained Tool Access Control
Pomerium uses Pomerium Policy Language (PPL) to control which MCP tools each user or group can call. The mcp_tool criterion matches tool names by exact name, prefix, suffix, or list — enabling deny-based block lists (e.g. block all admin_* tools) and allowlists (e.g. only permit query and list_tables). Tool restrictions compose with identity-based policies, so you can grant different tool sets to different teams.
Every tool call is logged with the method, tool name, and parameters, giving you full audit visibility into what AI agents do on behalf of your users.
See Limit MCP Tool Calling for patterns and examples.
Delegating MCP Access to AI Agents
Not every MCP caller is a human sitting behind a browser. Pomerium supports two patterns for letting AI agents and applications call MCP tools on a user's behalf:
- Service accounts — For CI pipelines, background jobs, and autonomous agents where no interactive login is possible, mint a Pomerium service account that represents a specific user. The service account JWT authenticates MCP requests directly, and identity-based policies (email, groups) still apply.
- Client applications — Build an app behind a Pomerium
mcp: clientroute. Your app receives an External Token (TE) for the authenticated user and passes it to an LLM API (OpenAI, Anthropic, etc.). The LLM calls MCP tools through Pomerium with the user's identity — same policies, same audit logging.
Either way, Pomerium enforces the same authorization policies and logs every tool call — whether the caller is a human, an LLM, or a CI agent.
See Delegate MCP Access to an LLM for both patterns.
Dev Tunneling with pom.run
For local development, ssh -R 0 pom.run exposes your local MCP server over HTTPS — one command, no configuration. Pomerium authenticates and authorizes every request through the tunnel, so you can test with ChatGPT, Claude, or any other hosted MCP client immediately.
See Tunnel to ChatGPT During Development for the full walkthrough.
Blueprints
| Blueprint | Description |
|---|---|
| Protect an MCP Server | Proxy an internal MCP server through Pomerium — no auth logic needed on the server side |
| MCP + Upstream OAuth | Bridge to upstream OAuth2 APIs like GitHub, Google Drive, or Notion |
| Tunnel to ChatGPT | Expose a local MCP server to ChatGPT for development and testing |
| Limit MCP Tool Calling | Control which MCP tools each user or group can call with PPL policies |
| Develop an MCP App | Build interactive ChatGPT Apps with custom widgets and tools |
| Delegate MCP Access to an LLM | Pass the user's token to an LLM so it can call MCP servers on their behalf |
| MCP Full Reference | Configuration options, token types, security details, session lifecycle, and observability |