v0.31.2

What's Changed

Changed

• pebble: fix secure fs wrapper by @backport-actions-token[bot] in #5968

Full Changelog: v0.31.1...v0.31.2

v0.31.1

Security

This release includes an update to Envoy v1.35.6, to address the following CVEs in Envoy and its dependencies:

• CVE-2025-62504
• CVE-2025-62409
• CVE-2025-27818
• CVE-2025-27817
• CVE-2025-0913
• CVE-2024-25178
• CVE-2024-25177
• CVE-2024-25176

What's Changed

• update Envoy to 1.35.6 by @kenjenkins in #5895

Full Changelog: v0.31.0...v0.31.1

v0.30.7

Security

This release includes an update to Envoy v1.34.10, to address the following CVEs in Envoy and its dependencies:

• CVE-2025-62504
• CVE-2025-62409
• CVE-2025-27818
• CVE-2025-27817
• CVE-2025-0725
• CVE-2024-25178
• CVE-2024-25177
• CVE-2024-25176
• CVE-2024-11407

What's Changed

• update Envoy to 1.34.10-p1 by @kenjenkins in #5893

Full Changelog: v0.30.6...v0.30.7

v0.31.0

Pomerium v0.31.0

Breaking Changes

• Tracing configuration updated to match OpenTelemetry standards - Replaced tracing_provider and tracing_sample_rate config fields with new fields that exactly match OTEL environment variable names for better consistency and automatic environment variable binding by @kralicky in #5447
• Model Context Protocol (MCP) configuration reorganized - Split the mcp config option into separate server and client sections for improved option grouping and clarity by @wasaga in #5666

New Features & Changes

Protocol & Connectivity

• HTTP/3 support - Added support for HTTP/3 protocol with automatic alt-svc header advertisement for improved performance by @calebdoxsey in #5349
• UDP protocol support - Implemented UDP routing using CONNECT-UDP tunneling for UDP-based applications by @calebdoxsey in #5390
• gRPC request handling in authorize service - Enhanced authorization service to handle gRPC requests directly by @calebdoxsey in #5400
• HTTP/3 advertise port configuration - Added ability to configure the port advertised in alt-svc headers for HTTP/3 by @calebdoxsey in #5466
• gRPC local reply mappers - Added additional local reply mappers for improved gRPC error handling by @calebdoxsey in #5644

Authentication & Authorization

• JWT groups filtering - Added configurable filter options to control which groups are included in JWT tokens by @kenjenkins in #5417
• Global JWT issuer format option - Added global configuration option for JWT issuer format across all routes by @kenjenkins in #5508
• Multi-domain login redirects - Implemented support for redirecting users to different domains during authentication flow by @kenjenkins in #5564
• Identity provider token authentication - Added support for authenticating directly with IdP tokens for enhanced integration by @calebdoxsey in #5484
• IdP token session loading in proxy - Added support for loading IdP token sessions in the proxy service for improved authentication flow by @calebdoxsey in #5488
• Apple identity token support - Added native support for Apple identity tokens in authentication flow by @calebdoxsey in #5610
• IdP access token verification for OIDC - Implemented access and identity token verification for OIDC providers by @calebdoxsey in #5614
• GitHub access token support - Added access token support for GitHub identity provider by @calebdoxsey in #5615
• Identity token refresh for ID tokens - Enhanced identity manager to refresh sessions for ID tokens in addition to access tokens by @kenjenkins in #5727

SSH Support

• SSH settings configuration - Added comprehensive SSH configuration options for secure shell access by @calebdoxsey in #5664
• SSH PPL criteria - Implemented SSH-specific policy language criteria for fine-grained access control by @kenjenkins in #5658

Model Context Protocol (MCP) Support

• MCP integration for AI agents - Added comprehensive Model Context Protocol support enabling AI agents to securely access protected resources by @wasaga in #5578
• OAuth metadata endpoint for MCP - Implemented OAuth 2.0 metadata endpoint for MCP client discovery by @wasaga in #5579
• MCP route scaffolding - Set up /.pomerium/mcp routes infrastructure for MCP communications by @wasaga in #5580
• MCP RFC 7591 types - Added RFC 7591 dynamic client registration types for MCP by @wasaga in #5583
• MCP authorization handling - Implemented complete authorization request flow for MCP clients by @wasaga in #5586
• MCP token exchange - Added authorization code token exchange for MCP authentication by @wasaga in #5587
• Upstream OAuth2 redirect for MCP - Implemented upstream OAuth2 provider integration for MCP authentication by @wasaga in #5594
• MCP list-routes helper - Added client helper utility for discovering available routes by @wasaga in #5596
• MCP runtime flag - Added global runtime flag to enable/disable MCP functionality by @wasaga in #5604
• MCP connect implementation - Completed MCP connect flow for establishing connections by @wasaga in #5640
• MCP tool logging - Added detailed logging for MCP method and tool invocations in authorize service by @wasaga in #5668

User Interface & User Experience

• Route portal JSON API - Added JSON API endpoint for route portal data by @calebdoxsey in #5428
• Route portal with visual cards - Added HTML-based route portal displaying available routes as visual cards by @calebdoxsey in #5443
• Route logo discovery - Implemented automatic logo discovery for services in route portal by @calebdoxsey in #5448
• Well-known service icons - Added built-in icon set for common services (GitHub, GitLab, etc.) by @calebdoxsey in #5453
• Long route name handling - Improved route portal card layout to properly handle long route names and descriptions by @nhayfield in #5514

Configuration & Management

• Fallback certificate generation - Changed fallback TLS certificate generation to only occur as last resort when no valid certificate is available by @kenjenkins in #5250
• Route name generation refactoring - Refactored route name generation to support both protobuf and config-based routes by @calebdoxsey in #5427
• Route metadata fields - Added support for route name, description, and logo URL in route configuration by @calebdoxsey in #5424
• Source PPL field - Added source field to policy language for tracking policy origin by @calebdoxsey in #5419
• SIGHUP signal handling - Implemented SIGHUP signal handling for graceful configuration reload by @calebdoxsey in #5459
• Multiple services mode - Added support for running any combination of 2-3 services together, not just all-in-one or single service mode by @calebdoxsey in #5656
• DNS configuration options - Added comprehensive DNS resolver configuration options for improved network control by @calebdoxsey in #5789
• DNS refresh rate options - Added configurable refresh rate for DNS resolution by @calebdoxsey in #5819
• Circuit breaker thresholds - Added configurable circuit breaker thresholds for improved resilience by @calebdoxsey in #5650

Databroker & Storage

• On-disk databroker storage - Implemented persistent on-disk storage for databroker to survive restarts by @calebdoxsey in #5774
• Databroker configuration options - Added comprehensive configuration options for databroker service by @calebdoxsey in #5803
• Databroker cluster leader ID - Added configuration for identifying cluster leader in databroker by @calebdoxsey in #5813
• Clustered follower server - Implemented follower server for clustered databroker deployments by @calebdoxsey in #5815
• Clustered leader server - Implemented leader server for clustered databroker deployments by @calebdoxsey in #5816
• Follower sync implementation - Added synchronization mechanism for databroker followers by @calebdoxsey in #5817
• ByteStream service - Added ByteStream gRPC service for efficient data transfer by @calebdoxsey in #5821
• Clustered server - Completed clustered databroker server implementation by @calebdoxsey in #5825
• Databroker options refactoring - Refactored databroker configuration options for better organization and usability by @calebdoxsey in #5827
• Raft leader election - Implemented Raft-based leader election for databroker cluster by @calebdoxsey in #5831
• Sync cache - Added efficient sync cache for databroker queries by @calebdoxsey in #5639
• Wait field for sync requests - Added wait capability to sync requests for real-time updates by @calebdoxsey in https://github.com/pome...

v0.30.6

What's Changed

Changed

• config: add dns refresh rate options (#5819) by @calebdoxsey in #5820

Full Changelog: v0.30.5...v0.30.6

v0.30.5

What's Changed

Changed

• config: add dns options by @calebdoxsey in #5795

Full Changelog: v0.30.4...v0.30.5

v0.30.4

What's Changed

• authenticate: cache OIDC authenticators; add traced, timeout‑bound key fetching — by @calebdoxsey in #5782
• autocert: stop issuing certificates for non‑HTTPS (e.g., SSH) routes — by @kenjenkins in #5747
• databroker: move GC to public interface; abort Sync when too far behind — by @calebdoxsey in #5770
• envoyconfig: don’t bind 0.0.0.0:0 when freebind is enabled; fixes IPv6 upstream errors — by @kenjenkins in #5755
• identity manager: include ID token expiry in session refresh, clear stale tokens — by @kenjenkins in #5768
• identity manager: switch scheduler tests to Go’s synctest — by @kenjenkins in #5760
• postgres: avoid delete deadlocks when pruning record changes; lower default retention — by @calebdoxsey in #5746
• runtime: add flag to gate ID‑token–based session refresh behavior — by @kenjenkins in #5771
• ssh: default internal CLI args to empty list to avoid inheriting argv — by @kralicky in #5773
• telemetry: add distinct stats_prefix per listener for clearer metrics — by @wasaga in #5763
• telemetry: add instrumentation for better visibility — by @wasaga in #5776
• telemetry: improve tracing by propagating tracer provider and wrapping HTTP transport — by @calebdoxsey in #5778
• telemetry: instrument the databroker reconciler and fix component attributes — by @wasaga in #5761
• telemetry: remove non‑static labels from fast‑forward metrics/traces to avoid cardinality spikes — by @wasaga in #5793
• telemetry: revert non‑standard units and remove OTEL scope tags to reduce cardinality — by @wasaga in #5762

Full Changelog: v0.30.3...v0.30.4

v0.30.3

What's Changed

Changed

• move SyncCache to a new pkg/synccache package by @backport-actions-token[bot] in #5729
• databroker: update identity manager to use route credentials by @backport-actions-token[bot] in #5730

Full Changelog: v0.30.2...v0.30.3

v0.29.6

What's Changed

Changed

• databroker: update identity manager to use route credentials (#5728) by @calebdoxsey in #5731

Full Changelog: v0.29.5...v0.29.6

v0.30.2

What's Changed

Changed

• envoy: set concurrency to GOMAXPROCS by @backport-actions-token[bot] in #5722

Full Changelog: v0.30.1...v0.30.2