Skip to main content


Since 0.16.0


Per Route OIDC Credentials

This release of Pomerium adds the ability to bind a route to unique OIDC credentials. This allows Identity Provider administrators to view Pomerium protected applications individually rather than as a single shared application.

See idp_client_id and idp_client_secret for configuration details.

Updated User Info Page

The .pomerium user info page has been redesigned to better structure data around user identity, group, and device information.

External Google Groups

Pomerium policy now supports group members from outside of your organization.

Since 0.15.0


Policy for Device Identity

This release of Pomerium adds the ability to set policy based on system registration via WebAuthN.

See Device Identity for more details.

HTTP PPL Criteria

http_path and http_method are now supported for matching HTTP requests in policies. See Pomerium Policy Language for more details.


Self-signed fallback certificates

When selecting a TLS certificate for a listener, Pomerium attempts to locate one by iterating through the provided certs and searching for a SAN match. This applies to all listeners, including internal service URLs like databroker_service_url and public endpoints like

Previously, when no match was found, Pomerium would select the "first" certificate in the list. However, the definition of "first" might change based on runtime configuration, so the certificate selection was non-deterministic.

Starting in v0.16, Pomerium will instead generate a self-signed certificate if it cannot locate an appropriate certificate from the provided configuration or system key/trust store. If you discover that you are receiving a self-signed certificate rather than a certificate from certificate/certificates/certificate_file or the trust store, you have a mismatch between your service URL and the names covered in your certificates.

OIDC flow no longer sets default uri params

Previously, Pomerium would default to setting the uri param access_type to offline for all OpenID Connect based identity providers. However, using uri params to ensure offline access (e.g. refresh_tokens used to keep user's sessions alive) is unique to Google. Those query params will now only be set for Google. Other OIDC based IdP's should continue to work using OIDC's offline_access scope.

Removed options

The deprecated headers option has been removed. Use set_response_headers instead.

The signing_key_algorithm option has been removed and will now be inferred from signing_key.

Changed GitHub Team IDs

To improve performance, IdP directory synchronization for GitHub now uses the GraphQL API. This API returns the same information as the REST API, except that the GraphQL node IDs are different. Where we previously used the team integer ID from the REST API, we now use the team slug instead. Most policies should already use the team slug for group based rules, which should continue to work. However, if the integer ID is used it will no longer work. Update those policies to use the team slug instead.

CLI Source and Packaging Update

pomerium-cli has been factored out of the core repository and now resides at If you currently install the CLI tool from Packages or Homebrew, no changes should be required to your process. However, users of docker images or direct github release downloads will need to update their references.

Please see the updated install instructions for additional details.