### Clone and Start Example ChatGPT App Source: https://www.pomerium.com/docs/capabilities/mcp/tunnel-to-chatgpt Clone the example ChatGPT app template, install dependencies, and start the development server. This sets up a local MCP server on port 8080 and an assets server on port 4444. ```bash git clone https://github.com/pomerium/chatgpt-app-typescript-template my-mcp-app cd my-mcp-app npm install npm run dev ``` -------------------------------- ### Cloning and Starting the JIT Example Stack Source: https://www.pomerium.com/docs/guides/jit These commands clone the `jit-example` repository and start the Docker Compose stack. Save the provided `docker-compose.yaml` file in the same directory after cloning. ```bash git clone https://github.com/pomerium/jit-example # save the Compose file above as docker-compose.yaml in this directory docker compose up -d ``` -------------------------------- ### Install Pomerium Enterprise Client for Go Source: https://www.pomerium.com/docs/internals/management-api-enterprise Use the go install command to install the latest version of the Go client library. ```bash go install github.com/pomerium/enterprise-client-go@latest ``` -------------------------------- ### Scaffold MCP App Project Source: https://www.pomerium.com/docs/capabilities/mcp/develop-mcp-app Clone the template repository, navigate to the project directory, install dependencies, and start the development servers. ```bash git clone https://github.com/pomerium/chatgpt-app-typescript-template my-mcp-app cd my-mcp-app npm install npm run dev ``` -------------------------------- ### Run OpenClaw Install Script Source: https://www.pomerium.com/docs/guides/openclaw Executes the OpenClaw installation script to clone the guide code and bootstrap the installation. The script defaults to installing in the './pomclaw' directory. ```bash curl -fsSL https://pomerium.com/docs/guides/code/openclaw/install.sh | bash ``` -------------------------------- ### Enable and Start Pomerium Enterprise Service Source: https://www.pomerium.com/docs/deploy/enterprise/install Enable the Pomerium Enterprise console service to start on boot and start it immediately. ```bash sudo systemctl enable --now pomerium-console ``` -------------------------------- ### Install Development Tools Source: https://www.pomerium.com/docs/guides/homelab-pipeline Installs essential command-line tools for managing Kubernetes, Terraform, and Pomerium. Ensure you have Homebrew installed. ```bash brew install siderolabs/tap/talosctl brew install kubectl brew install hashicorp/tap/terraform brew install kubeseal brew install helm ``` -------------------------------- ### Install Pomerium Desktop with Homebrew Source: https://www.pomerium.com/docs/deploy/clients Install the Pomerium Desktop client on macOS using Homebrew. This command taps the pomerium repository and then installs the desktop package. ```bash brew tap pomerium/tap brew install pomerium-desktop ``` -------------------------------- ### Setup Pomerium Cloudsmith Repository (Debian/Ubuntu) Source: https://www.pomerium.com/docs/deploy/core Configure the Cloudsmith repository for Pomerium on Debian or Ubuntu-based systems to enable installation via apt. ```bash curl -1sLf \ 'https://dl.cloudsmith.io/public/pomerium/pomerium/setup.deb.sh' \ | sudo -E bash ``` -------------------------------- ### Clone Repository and Navigate to Example Directory Source: https://www.pomerium.com/docs/guides/ssh-tcp-l4-passthrough Clone the Pomerium documentation repository and change into the SSH/TCP L4 passthrough example directory. ```bash git clone https://github.com/pomerium/documentation cd documentation/content/examples/ssh-tcp-l4-passthrough ``` -------------------------------- ### Install and Use mkcert for Local Certificates Source: https://www.pomerium.com/docs/deploy/core Installs mkcert and generates local certificates for *.localhost.pomerium.io domains, useful for local development. ```bash go install filippo.io/mkcert@latest mkcert -install mkcert '*.localhost.pomerium.io' ``` -------------------------------- ### Example Log Output with ID Token and Claims Source: https://www.pomerium.com/docs/reference/authorize-log-fields This example shows the log output when `id-token` and `id-token-claims` are enabled. ```json { "id-token": "", "id-token-claims": { "aud": "XmDTct9PHNsMRxKxCIObqWnmnEJLguPQ", "email": "example@pomerium.com", "email_verified": true, "exp": 1691452058, "family_name": "Painter", "given_name": "Zachary", "iat": 1691416058, "iss": "https://dev-XXXXXXXXXXXXXXXX.us.auth0.com/", "locale": "en", "name": "Zachary Painter", "nickname": "XXXXXXXX", "picture": "https://lh3.googleusercontent.com/a/XXX=s96-c", "pomerium.io/groups": ["admin"], "sid": "L_tMPjzHdHKd6q1NjGdHERgSdWUUZF1b", "sub": "google-oauth2|XXXXXXXXXXXXXXXXXXXXX", "updated_at": "2023-08-03T17:44:00.171Z" }, "allow": true, "allow-why-true": ["domain-ok"], "deny": false, "deny-why-false": [], "level": "info", "service": "authorize", "time": "2023-08-07T10:43:36-04:00", "message": "authorize check" } ``` -------------------------------- ### Go Request Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-list-available-log-fields Example of how to make a POST request to the ListAvailableLogFields API using Go's net/http package. ```Go package main import ( "bytes" "encoding/json" "fmt" "net/http" ) func main() { url := "https://{console.pomerium.app}/pomerium.config.ConfigService/ListAvailableLogFields" requestBody, _ := json.Marshal(map[string]interface{}{}) req, err := http.NewRequest("POST", url, bytes.NewBuffer(requestBody)) if err != nil { fmt.Printf("Error creating request: %s\n", err) return } req.Header.Set("Content-Type", "application/json") req.Header.Set("Accept", "application/json") client := &http.Client{} res, err := client.Do(req) if err != nil { fmt.Printf("Error sending request: %s\n", err) return } defer res.Body.Close() var result map[string]interface{} if err := json.NewDecoder(res.Body).Decode(&result); err != nil { fmt.Printf("Error decoding response: %s\n", err) return } fmt.Println(result) } ``` -------------------------------- ### Install Pomerium CLI with Homebrew Source: https://www.pomerium.com/docs/deploy/clients Install the Pomerium CLI using Homebrew on macOS. First, tap the pomerium repository, then install the CLI package. ```bash brew tap pomerium/tap brew install pomerium-cli ``` -------------------------------- ### GetSettings Request Body Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-get-settings This example demonstrates the required JSON body for the GetSettings request, specifying the cluster ID. ```json { "clusterId": "string" } ``` -------------------------------- ### Install Pomerium Zero with Shell Script Source: https://www.pomerium.com/docs/deploy/cloud/install Install Pomerium Zero using a curl command to download and execute the installation script. Replace with your cluster token. ```bash curl https://console.pomerium.app/install.bash | env POMERIUM_ZERO_TOKEN= bash -s install ``` -------------------------------- ### MCP Resource Listing Request Log Example Source: https://www.pomerium.com/docs/capabilities/mcp/reference Example log output for an MCP 'resources/list' request, showing a successful authorization. ```json { "mcp-method": "resources/list", "allow": true } ``` -------------------------------- ### UpdateSettings Request Body Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-update-settings Example of the JSON body for the UpdateSettings request, demonstrating various configuration options. ```json { "settings": { "id": null, "namespaceId": null, "clusterId": null, "originatorId": null, "name": "my-settings", "installationId": null, "logLevel": "debug", "accessLogFields": { "values": [ "request_id", "service", "start_time", "duration", "remote_ip", "uri", "user_agent", "user", "xff", "method", "host", "status_code", "response_size", "request_id" ] }, "authorizeLogFields": { "values": [ "request_id", "start_time", "duration", "remote_ip", "uri", "user_agent", "user", "xff", "method", "host", "status_code", "identity_provider_name", "identity_provider_user_id", "identity_provider_username" ] }, "proxyLogLevel": "info", "sharedSecret": "aGVsbG8gd29ybGQhIHRoaXMgaXMgYSBzZWNyZXQh", "services": "all", "address": ":443", "insecureServer": false, "dnsFailureRefreshRate": { "duration": "10s" } } } ``` -------------------------------- ### Install mkcert Source: https://www.pomerium.com/docs/get-started/fundamentals/core/tcp-routes Installs mkcert and generates a local root CA certificate. This is a prerequisite for generating development certificates. ```bash mkcert -install ``` -------------------------------- ### Install Pomerium Enterprise Client for Python Source: https://www.pomerium.com/docs/internals/management-api-enterprise Use pip3 to install the Python client library directly from its GitHub repository. ```bash pip3 install git+https://git@github.com/pomerium/enterprise-client-python ``` -------------------------------- ### Start Pomerium Zero with Docker Compose Source: https://www.pomerium.com/docs/deploy/cloud/install Run this command in the same directory as your 'compose.yaml' file to start Pomerium Zero services. ```bash docker compose up -d ``` -------------------------------- ### ListKeyPairs Request Body Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-list-key-pairs An example of the JSON body for the ListKeyPairs request, demonstrating pagination, filtering, and sorting parameters. ```json { "offset": 0, "limit": 0, "filter": {}, "orderBy": "string" } ``` -------------------------------- ### Run OpenClaw Install Script to Custom Directory Source: https://www.pomerium.com/docs/guides/openclaw Executes the OpenClaw installation script and specifies a custom directory for installation. This allows users to choose where the guide code is cloned and installed. ```bash curl -fsSL https://pomerium.com/docs/guides/code/openclaw/install.sh | bash -s -- ~/openclaw ``` -------------------------------- ### Example Envoy Cluster Ext Authz Error Metric Source: https://www.pomerium.com/docs/reference/metrics This is an example of an Envoy metric, specifically a counter for external authorization errors. It includes standard labels like service, cluster name, installation ID, and hostname. ```prometheus # TYPE envoy_cluster_ext_authz_error counter envoy_cluster_ext_authz_error{service="pomerium-proxy",envoy_cluster_name="telemetry-team1-allowed-00008",installation_id="aecd6525-9eaa-448d-93d9-6363c04b1ccb",hostname="pomerium-proxy-55589cc5f-fjhsb"} 34 ``` -------------------------------- ### Start Sample MCP Server Source: https://www.pomerium.com/docs/capabilities/mcp/protect-mcp-server Use Docker Compose to start one of the sample MCP servers from the pomerium/mcp-servers repository. This is a prerequisite for testing Pomerium's MCP protection. ```bash # Example: start one of the sample servers from the pomerium/mcp-servers repo docker compose up -d ``` -------------------------------- ### Go Example: Set Pomerium Route Source: https://www.pomerium.com/docs/internals/management-api-enterprise This script demonstrates how to use the Pomerium Go client to list namespaces and policies, and then set a new route. Ensure the service account token is set as an environment variable and adjust TLS configuration if necessary. ```go package main import ( "context" "crypto/tls" "fmt" "os" pb "github.com/pomerium/enterprise-client-go/pb" client "github.com/pomerium/enterprise-client-go" ) var serviceAccountToken = os.Getenv("SERVICE_ACCOUNT") var target = "console-api.localhost.pomerium.io:443" func main() { err := run() if err != nil { fmt.Printf("%s\n", err) } } func run() error { ctx := context.Background() lsConfig := &tls.Config{InsecureSkipVerify: true} p, err := client.NewClient(ctx, target, serviceAccountToken, client.WithTlsConfig(tlsConfig)) if err != nil { return fmt.Errorf("failed to connect: %w", err) } nsResp, err := p.NamespaceService.ListNamespaces(ctx, &pb.ListNamespacesRequest{}) if err != nil { return fmt.Errorf("could not list namespaces: %w", err) } var productionNamespaceId string for _, n := range nsResp.GetNamespaces() { if n.GetName() == "Production" { productionNamespaceId = n.GetId() } } if productionNamespaceId == "" { return fmt.Errorf("could not find production namespace") } policyName := "my policy" var policyId string polResp, err := p.PolicyService.ListPolicies(ctx, &pb.ListPoliciesRequest{Namespace: productionNamespaceId, Query: &policyName}) if err != nil { return fmt.Errorf("failed to find policy: %w", err) } if len(polResp.GetPolicies()) == 0 { return fmt.Errorf("no policy named '%s' found", policyName) } policyId = polResp.GetPolicies()[0].GetId() passIdHeaders := true newRoute := &pb.Route{ NamespaceId: productionNamespaceId, Name: "my route", From: "https://test.localhost.pomerium.io", To: []string{"https://verify.pomerium.com"}, PolicyIds: []string{policyId}, PassIdentityHeaders: &passIdHeaders, } routeResp, err := p.RouteService.SetRoute(ctx, &pb.SetRouteRequest{Route: newRoute}) if err != nil { return fmt.Errorf("could not create route: %w", err) } fmt.Printf("created route id: %s\n", routeResp.Route.GetId()) return nil } ``` -------------------------------- ### Basic Redirect Configuration Source: https://www.pomerium.com/docs/reference/routes/redirect Example of setting up a host redirect. Ensure either 'redirect', 'to', or 'response' is configured. ```yaml redirect: {'host_redirect': 'example.com'} ``` -------------------------------- ### GetPolicy API cURL Request Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-get-policy Use this cURL command to send a GET request to the GetPolicy API. Ensure you replace placeholders like {console.pomerium.app} with your actual service URL and provide the required 'id' in the request body. ```curl curl -L -g 'https://{console.pomerium.app}/pomerium.config.ConfigService/GetPolicy' \ -H 'Content-Type: application/json' \ -H 'Accept: application/json' \ -d '{ "id": "string" }' ``` -------------------------------- ### Azure Blob Storage Connection String Setup Source: https://www.pomerium.com/docs/capabilities/session-recording Set up Azure storage using a full connection string. The storage account can be specified separately if not included in the connection string. ```bash export AZURE_STORAGE_CONNECTION_STRING="" export AZURE_STORAGE_ACCOUNT= # if not specified in the connection string ``` -------------------------------- ### Configure Embedded Prometheus Data Directory Source: https://www.pomerium.com/docs/deploy/enterprise/configure-metrics For an embedded Prometheus instance, specify the 'prometheus_data_dir' key with a file path in your Pomerium Enterprise configuration. This directory must have write permissions. The example uses the default location for OS Packages installations. ```yaml prometheus_data_dir: /var/lib/pomerium-console/tsdb ``` -------------------------------- ### Docker Compose Configuration for JIT Example and Pomerium Zero Source: https://www.pomerium.com/docs/guides/jit This configuration sets up Pomerium Zero and the `jit-example` application. Pomerium Zero manages routes and time-limited policies via the Zero Console, while `jit-example` is the protected application. Ensure you replace placeholder values with your actual credentials and domain. ```yaml services: pomerium: image: pomerium/pomerium@sha256:e10d1d267af24f581157f485d9b0bc08469e2428675b696a08e42ceb09b2279c # v0.32.7 environment: - POMERIUM_ZERO_TOKEN=REPLACE_WITH_YOUR_POMERIUM_ZERO_TOKEN volumes: - pomerium-cache:/data ports: - 443:443 - 80:80 restart: always jit-example: build: ./jit-example environment: - PORT=8000 - ORGANIZATION_ID=REPLACE_WITH_YOUR_ORGANIZATION_ID - CLUSTER_ID=REPLACE_WITH_YOUR_CLUSTER_ID - API_USER_TOKEN=REPLACE_WITH_YOUR_API_USER_TOKEN - JWKS_ENDPOINT=https://jit-example.yourdomain.com/.well-known/pomerium/jwks.json restart: always volumes: pomerium-cache: ``` -------------------------------- ### Basic PPL Policy Example Source: https://www.pomerium.com/docs/internals/ppl This example demonstrates a basic PPL policy structure with 'allow' and 'deny' actions. It grants access if the user's domain matches 'example.com' and denies access to specific email addresses. ```yaml allow: and: - domain: is: example.com deny: or: - email: is: user2@example.com - email: is: user3@example.com ``` -------------------------------- ### Apply Kubernetes Zero Installation Manifest Source: https://www.pomerium.com/docs/deploy/cloud/install Apply the Kubernetes installation manifest for Pomerium Zero. This command installs Pomerium into your Kubernetes cluster. ```bash kubectl apply -k github.com/pomerium/pomerium/k8s/zero ``` -------------------------------- ### SSH Authentication Example Source: https://www.pomerium.com/docs/internals/client-binding Demonstrates the initial authentication process for SSH when using Pomerium. This typically involves a redirect to a sign-in page for verification. ```bash ssh -p 2222 user@route@host ``` ```html Please sign in to continue /.pomerium/sign_in?user_code=C6I3E-wUa1ne-TVtrORlQw ``` -------------------------------- ### Enable and Start Pomerium Systemd Service Source: https://www.pomerium.com/docs/deploy/core Enables the Pomerium service to start on boot and starts it immediately. This command is used after configuring the systemd service. ```bash sudo systemctl enable --now pomerium.service ``` -------------------------------- ### Homelab DNS Flow Example Source: https://www.pomerium.com/docs/guides/homelab-pipeline Illustrates the DNS resolution and traffic routing for a homelab environment, from wildcard DNS to the Pomerium proxy and backend services. ```text *.example.lab -> Cloudflare DNS (A record -> public IP) -> Router (port forward 443 -> 192.168.10.100) -> MetalLB (L2 advertisement -> Pomerium pod) -> Pomerium (authenticate -> authorize -> proxy) -> Backend service (e.g., verify.verify.svc.cluster.local:80) ``` -------------------------------- ### Build Pomerium CLI from Source Source: https://www.pomerium.com/docs/deploy/clients Build the Pomerium CLI from source by cloning the repository, navigating into the directory, and running the make build command. Then, execute the help command to verify. ```bash git clone https://github.com/pomerium/cli.git cd cli make build ./bin/pomerium-cli --help ``` -------------------------------- ### Proto Field Mask Example Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-update-policy An example of a field mask in proto format. ```proto mask { paths: "user.display_name" paths: "photo" } ``` -------------------------------- ### Pomerium Installation Output Source: https://www.pomerium.com/docs/deploy/k8s/quickstart This output shows the Kubernetes resources created during the Pomerium installation. ```yaml namespace/pomerium created customresourcedefinition.apiextensions.k8s.io/pomerium.ingress.pomerium.io created serviceaccount/pomerium-controller created serviceaccount/pomerium-gen-secrets created clusterrole.rbac.authorization.k8s.io/pomerium-controller created clusterrole.rbac.authorization.k8s.io/pomerium-gen-secrets created clusterrolebinding.rbac.authorization.k8s.io/pomerium-controller created clusterrolebinding.rbac.authorization.k8s.io/pomerium-gen-secrets created service/pomerium-metrics created service/pomerium-proxy created deployment.apps/pomerium created job.batch/pomerium-gen-secrets created ingressclass.networking.k8s.io/pomerium created ``` -------------------------------- ### Timestamp Example 1 Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-get-route A concrete example of a timestamp string in RFC 3339 format. ```text 2023-01-15T01:30:15.01Z ``` -------------------------------- ### Install Gateway API CRDs Source: https://www.pomerium.com/docs/deploy/k8s/gateway-api Apply the standard installation YAML for Gateway API CRDs. ```bash kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml ``` -------------------------------- ### JSON Timestamp Format Example 3 Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-update-settings A further example of the RFC 3339 format for Timestamp in JSON. ```json "2024-12-25T12:00:00Z" ``` -------------------------------- ### Ingress Event Example Source: https://www.pomerium.com/docs/deploy/k8s/ingress Example output showing an 'Updated' event for a Pomerium Ingress resource. ```yaml Events: Type Reason Age From Message ---- ------ ---- ---- ------- Normal Updated 18s pomerium-ingress updated pomerium configuration ``` -------------------------------- ### MCP Tool Listing Request Log Example Source: https://www.pomerium.com/docs/capabilities/mcp/reference Example log output for an MCP 'tools/list' request, indicating successful authorization for an authenticated user. ```json { "mcp-method": "tools/list", "allow": true, "allow-why-true": ["authenticated-user"] } ``` -------------------------------- ### Python Example: Set Pomerium Route Source: https://www.pomerium.com/docs/internals/management-api-enterprise This script demonstrates how to use the Pomerium Python client to list namespaces and policies, and then set a new route. Ensure the CA certificate and service account credentials are set as environment variables. ```python #!/usr/bin/env python import os from pomerium.client import Client from pomerium.pb.policy_pb2 import ListPoliciesRequest from pomerium.pb.namespaces_pb2 import ListNamespacesRequest from pomerium.pb.routes_pb2 import SetRouteRequest, Route # get custom CA and service account credentials from environment ca_cert = os.getenv('CA_CERT', '').encode('utf-8') sa = os.getenv('SERVICE_ACCOUNT', '') console_api = 'console-api.localhost.pomerium.io' client = Client(console_api, sa, root_certificates=ca_cert) # get id for namespace 'Production' resp = client.NamespaceService.ListNamespaces(ListNamespacesRequest()) ns = [n for n in resp.namespaces if n.name == 'Production'][0] # find policy named 'my policy' in namespace 'Production' resp = client.PolicyService.ListPolicies( ListPoliciesRequest(query='my policy', namespace=ns.id) ) policy = resp.policies[0] # set route in namespace 'Production', associated to 'my policy' route = Route(**{ 'namespace_id': ns.id, 'name': 'my route', 'from': 'https://test.localhost.pomerium.io', 'to': ['https://verify.pomerium.com'], 'policy_ids': [policy.id], 'pass_identity_headers': True, }) resp = client.RouteService.SetRoute(SetRouteRequest(route=route)) print(resp) ``` -------------------------------- ### Re-install Pomerium Zero after upgrade Source: https://www.pomerium.com/docs/internals/troubleshooting Use this command to re-run the Pomerium Zero install script after an upgrade if you initially installed using the Linux install script during the beta. Ensure you replace `` with your actual cluster token. ```bash $ curl https://console.pomerium.app/install.bash | \ env POMERIUM_ZERO_TOKEN= bash -s install ``` -------------------------------- ### JSON Timestamp Format Example 2 Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-update-settings Another example of the RFC 3339 format for Timestamp in JSON. ```json "2023-01-15T01:30:15.01Z" ``` -------------------------------- ### Example Log Output with Request Body Source: https://www.pomerium.com/docs/reference/authorize-log-fields This is an example of the log output when the `body` field is enabled for logging. ```json { "body": "{\"username\":\"user@example.com\",\"action\":\"login\"}", "allow": true, "allow-why-true": ["domain-ok"], "deny": false, "deny-why-false": [], "level": "info", "service": "authorize", "time": "2023-08-07T10:43:36-04:00", "message": "authorize check" } ``` -------------------------------- ### Run Python Programmatic Access Example Source: https://www.pomerium.com/docs/internals/programmatic-access Execute the Python script to demonstrate programmatic access. This command initiates the authentication flow. ```bash python3 scripts/programmatic_access.py \ --dst https://verify.example.com/headers ``` -------------------------------- ### JSON Timestamp Format Examples Source: https://www.pomerium.com/docs/api/pomerium-config-config-service-update-service-account Provides additional examples of RFC 3339 formatted timestamps in JSON. ```json "2023-01-15T01:30:15.01Z" ``` ```json "2024-12-25T12:00:00Z" ``` -------------------------------- ### Create Factorio Save File Source: https://www.pomerium.com/docs/capabilities/non-http/examples/factorio Creates a new Factorio save file named 'pomerium-example.zip' using the Factorio server executable. ```bash ./bin/x64/factorio --create ./saves/pomerium-example.zip ``` -------------------------------- ### Basic Route Configuration Example Source: https://www.pomerium.com/docs/reference/routes This snippet shows a basic route configuration with 'from', 'to', and a simple 'allow' policy based on domain. It also includes optional 'cors_allow_preflight' and 'timeout' settings. ```yaml # This file contains only route and policy configuration details. Other # configuration settings required by pomerium are excluded for clarity. # See: https://www.pomerium.io/docs/reference/ # # For a complete self contained configuration see : config.example.yaml. # Or, mix and match a policy file (this) with env vars : config.example.env routes: - from: https://verify.localhost.pomerium.io to: http://localhost:8000 policy: - allow: or: - domain: is: pomerium.io cors_allow_preflight: true timeout: 30s ``` -------------------------------- ### Example Pomerium Configuration with Policies Source: https://www.pomerium.com/docs/get-started/fundamentals/core/build-policies This is an example of a complete Pomerium configuration file after applying policies. It includes routes for both verify and Grafana services, each secured with a domain-based policy. ```yaml authenticate_service_url: https://authenticate.pomerium.app routes: - from: https://verify.localhost.pomerium.io to: http://verify:8000 policy: allow: and: - domain: is: example.com - from: https://grafana.localhost.pomerium.io to: http://grafana:3000 policy: allow: and: - domain: is: example.com ```