03 / Scorecard / Auth & Identity
Pomerium
F
Headless Index
13/100
denominator 40
JAIRF
N/A
Verified
MAY 21, 2026
Methodology v1 · JAIRF v1.0.0
Powered by JAIRF v1.0.0 by Jentic · open methodology at /the-headless-index/methodology
Editorial verdict
Pomerium is not built for machine consumption today. The Headless Index thesis-fit score of 13/100 fails the floor checks of the index, and JAIRF is recorded as N/A for this vendor because no public OpenAPI specification was reachable for the open-source scorer. In practice, vendors at this tier are not built for machine consumption today: agents can poke at them, but the dashboard remains the source of truth, and the rest of this verdict explains where Pomerium lands inside that pattern.
On the API surface, the question is whether the API is the product or a layer beneath the dashboard. On API-first posture, the structured collectors did not surface an OpenAPI spec, GraphQL endpoint, or SDK ecosystem strong enough to score this criterion automatically. Editorial follow-up should confirm whether an API spec exists behind authentication or in unindexed documentation.[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? Config schema documented at pomerium.com/docs. Open-source codebase exposes the contract.[2]
Driving this product through an agent is not realistic with the current surface: the API exists, but it is not the contract the vendor optimises for. On headless operability: On headless operability, the docs crawl did not produce topic coverage sufficient to score programmatic setup, billing, teams, schema, or CLI workflows. A targeted AI review pass should visit the vendor's docs index and confirm what programmatic surfaces actually exist.[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: No first-party Pomerium MCP server.[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. On webhooks and events, the docs crawler did not locate a webhooks reference page or events catalog. Editorial review should confirm whether the vendor publishes events at all, and if so whether signing and replay are documented.
Net assessment: Pomerium fails the floor checks of the methodology, with MCP posture[5] as the most acute gap. Any agent integration here will be brittle and short-lived until the vendor invests in machine-readable surfaces. Not currently suitable for agent consumption.
Verdict by Headless Index pipeline (auto)
// AI-drafted from the evidence layer. Editorial review pending.
Scores
Scorecard detail
Headless Index · 5 sub-criteria
API-first design intentUnknown
UnknownPomerium is identity-aware proxy for zero-trust access. Open-source. The product is consumed primarily as a sidecar/gateway rather than via API.
signals (4)
- +AI review appliedReviewer: Editorial review on 2026-05-20
- −OpenAPI specNot found across 17 probe paths
- −GraphQL endpointNot discovered (5 probes; project-scoped endpoints require a real project ID)
- −SDKs maintainedNone detected in vendor org
cite (3)
- openapi.probes_tried@2026-05-21
- graphql.probes_tried@2026-05-21
- github.sdks@2026-05-21
Headless operationUnknown
UnknownRoutes, policies, identity providers, and authorization rules are config-driven (YAML, Kubernetes CRDs). The pomerium-cli plus operator give shell and IaC paths.
signals (9)
- +AI review appliedReviewer: Editorial review on 2026-05-20
- −API operations exposedNo OpenAPI spec; operations count unknown
- ·Docs pages crawled0 pages (crawler: none)
- ·Auth schemes documentedAuth documentation page not reached by crawler
- ·Setup / quickstart docsNot reached by crawler
- ·Billing docsNot reached by crawler
- ·Teams / org docsNot reached by crawler
- ·CLI docsNot reached by crawler
- ·Schema / data model docsNot reached by crawler
cite (8)
- openapi.operations_count@2026-05-21
- docs.pages_crawled@2026-05-21
- docs.pages_crawled@2026-05-21
- docs.topics_found.setup@2026-05-21
- docs.topics_found.billing@2026-05-21
- docs.topics_found.teams@2026-05-21
- docs.topics_found.cli@2026-05-21
- docs.topics_found.schema@2026-05-21
MCP & agent posture0/20
scoredNo first-party Pomerium MCP server.
signals (4)
- +AI review appliedReviewer: Editorial review on 2026-05-20
- −Official MCP serverNone found in vendor's GitHub org or the official MCP registry
- −Community MCP serversNone found
- −Agent-friendly SDKsNo TypeScript/JavaScript SDK published (agents commonly run in TS/JS)
cite (3)
- mcp.registry_query@2026-05-21
- mcp.github_search_query@2026-05-21
- github.sdks@2026-05-21
Schema observability5/20
scoredConfig schema documented at pomerium.com/docs. Open-source codebase exposes the contract.
signals (3)
- +AI review appliedReviewer: Editorial review on 2026-05-20
- −OpenAPINot discovered across 17 standard probe paths
- −GraphQL introspectionNo GraphQL endpoint discovered (5 probes; some vendors use project-scoped endpoints that require a real project handle)
cite (2)
- openapi.probes_tried@2026-05-21
- graphql.probes_tried@2026-05-21
Webhooks & eventsUnknown
UnknownAudit log export via webhooks for SIEM ingest. Catalog matches zero-trust audit.
signals (2)
- +AI review appliedReviewer: Editorial review on 2026-05-20
- ·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.
cite (1)
- docs.pages_crawled@2026-05-21
JAIRF · 6 dimensions
JAIRF · N/A
This vendor does not publish a public OpenAPI specification. JAIRF cannot be computed. The Headless Index score and editorial verdict carry the readiness assessment.
No public OpenAPI specification discovered during collection
Powered by JAIRF v1.0.0 by Jentic
Band rationale:F band triggered: HeadlessIndex=13
04 / Embed
Show Pomerium's score on your site.
Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.