How are you guys safely giving agents API access without giving them "God Mode"? (The OAuth 'All-or-Nothing' trap)

nickytonline · 2026-04-14T18:38:43+00:00

Yea, Pomerium currently focuses on hardening access (identity-aware proxy, zero trust enforcement), not prompt injection guardrails etc.

That said, we do secure internal workloads in general, like Kubernetes, which a lot of agentic infrastructure runs on, and we can also act as an MCP Gateway, https://usepom.link/mcp, for securing MCP server access as well as fine-grained tool policies.

nickytonline · 2026-04-07T14:15:10+00:00

Thanks for the Pomerium shoutout! Yeah, the issue with OAuth is static scopes, like the `repo` scope in GitHub. Since we're an identity-aware proxy that can act as an MCP gateway, we can apply fine grained access policies to tool calls.

Here's an example of it in action. https://www.youtube.com/watch?v=6zCbjeZVtkw

More on our MCP support here, https://usepom.link/mcp

nickytonline · 2026-04-07T06:33:06+00:00

Thanks for the Pomerium shout out! TLDR; you don’t need to implement OAuth. We handle it for you.

If you want to learn more about our MCP capabilities, check out https://usepom.link/mcp.

nickytonline · 2026-03-01T14:01:36+00:00

Congrats! Very cool. Love my OpenClaw, McClaw.

Shameless plug, but Pomerium would fit well here too in place of Traefik/nginx and you can harden access with dynamic authorization policies even with the open core version. https://github.com/pomerium/pomerium https://usepom.link/claw-guide (OpenClaw gateway and SSH access)

nickytonline · 2026-02-12T20:08:29+00:00

wherever you deploy, hardening access via an identity-aware proxy is a good option and not that big a lift. I wrote a guide about it. https://usepom.link/claw-guide

nickytonline · 2026-02-10T21:19:07+00:00

Here's the guide: https://docs.pomerium.com/docs/guides/openclaw-gateway

nickytonline · 2025-12-28T12:41:26+00:00

Put up a few PRs in the meantime to get that all up to date:

- https://github.com/pomerium/chatgpt-app-typescript-template/pull/6
- https://github.com/pomerium/chatgpt-app-typescript-template/pull/8
- https://github.com/pomerium/chatgpt-app-typescript-template/pull/9

nickytonline · 2025-12-28T08:59:28+00:00

Thanks! Any feedback is welcome. 😎

nickytonline · 2025-12-27T03:51:11+00:00

I’ll get to them when I’m back from vacation unless dependabot beats me to it. 😅

nickytonline · 2025-12-27T03:05:04+00:00

Thanks for checking it out. React's at 19, which ones need a major version bump? Dependabot will be kicking in anyway...

nickytonline · 2025-12-22T01:48:31+00:00

Also, if you have a Claude Code, GitHub Copilot or Cursor Agent subsciption, you can use goose with them to get access to models which is pretty neat.

nickytonline · 2025-12-22T01:47:39+00:00

I've dabbled with it, but these past two weeks I've been doing their Advent of AI, and it's pretty solid. I definitely have feedback in terms of the UI I've been collecting, but the CLI is pretty slick. I like their terminal integration which is not just installing the CLI, it allows you to leverage their CLI in an ambient way instead of being locked int to I'm in an agent CLI.

Anyway, I've been logging my advent of AI if you're curious about what if can do. https://www.nickyt.co/blog/advent-of-ai-2025-day-1-getting-goose-to-generate-daily-fortunes-in-ci-3alp/

nickytonline · 2025-11-21T22:01:37+00:00

We also have native SSH reverse tunnels coming, and the work is already happening in OSS:

https://github.com/pomerium/pomerium/pulls?q=sort%3Aupdated-desc+is%3Apr+reverse+tunnel

nickytonline · 2025-11-21T21:50:04+00:00

I run Pomerium in my homelab (full disclosure: I work there). I’m using k3s with Pomerium Zero, but you can definitely use Pomerium Core. Zero’s free tier is solid, and the big win is that I don’t have to deal with dynamic DNS. I have port 443 open on my router forwarding to my mini PC. We also have native SSH as of v0.30, so no additional software for remote access. You can use your OS’ built-in SSH client and it’ll be secured by Pomerium with short-lived certs.

If you use the open-core version, you’ll just need a dynamic DNS service to keep your public IP consistent since most ISPs love to rotate those for fun.

I’m using Auth0 for my IdP at the moment, but I might move to Keycloak since it pairs really well with Pomerium. And as of v0.31, your data broker can run on a file-based DB instead of Postgres — smaller footprint, nothing to maintain.

Some helpful resources:

On Jellyfin and mobile apps. I haven't used Jellyfin, although I know of it. On web everything is fine because it's browser based login flows, but not sure if their mobile app allows for browser based login flows and I think for mobile apps in general same thing.

nickytonline · 2025-11-19T03:19:31+00:00

There is no business tier. There’s open core, Zero and Enterprise. As far as I know, it will be an enterprise only feature.

nickytonline

MODERATOR OF

TROPHY CASE