diff --git a/.tool-versions b/.tool-versions
index 850d43e16..3bc80ec4a 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1 +1 @@
-golang 1.20.3
+golang 1.20.10
diff --git a/Makefile b/Makefile
index 17ed350db..06f6c78ea 100644
--- a/Makefile
+++ b/Makefile
@@ -41,7 +41,7 @@ all: clean build-deps test lint build ## Runs a clean, build, fmt, lint, test, a
 .PHONY: generate-mocks
 generate-mocks: ## Generate mocks
 	@echo "==> $@"
-	@go run github.com/golang/mock/mockgen -destination internal/directory/auth0/mock_auth0/mock.go github.com/pomerium/pomerium/internal/directory/auth0 RoleManager
+	@go run github.com/golang/mock/mockgen@v1.6.0 -destination internal/directory/auth0/mock_auth0/mock.go github.com/pomerium/pomerium/internal/directory/auth0 RoleManager
 
 .PHONY: get-envoy
 get-envoy: ## Fetch envoy binaries
diff --git a/config/envoyconfig/envoyconfig.go b/config/envoyconfig/envoyconfig.go
index 6e9c36b16..b8bf34c93 100644
--- a/config/envoyconfig/envoyconfig.go
+++ b/config/envoyconfig/envoyconfig.go
@@ -22,7 +22,6 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_extensions_access_loggers_grpc_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/grpc/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
-	"github.com/golang/protobuf/ptypes/wrappers"
 	"github.com/martinlindhe/base36"
 	"golang.org/x/net/nettest"
 	"google.golang.org/protobuf/proto"
@@ -46,14 +45,14 @@ var (
 type Endpoint struct {
 	url                url.URL
 	transportSocket    *envoy_config_core_v3.TransportSocket
-	loadBalancerWeight *wrappers.UInt32Value
+	loadBalancerWeight *wrapperspb.UInt32Value
 }
 
 // NewEndpoint creates a new Endpoint.
 func NewEndpoint(u *url.URL, ts *envoy_config_core_v3.TransportSocket, weight uint32) Endpoint {
-	var w *wrappers.UInt32Value
+	var w *wrapperspb.UInt32Value
 	if weight > 0 {
-		w = &wrappers.UInt32Value{Value: weight}
+		w = &wrapperspb.UInt32Value{Value: weight}
 	}
 	return Endpoint{url: *u, transportSocket: ts, loadBalancerWeight: w}
 }
diff --git a/config/envoyconfig/listeners.go b/config/envoyconfig/listeners.go
index 2e807340d..9b506071e 100644
--- a/config/envoyconfig/listeners.go
+++ b/config/envoyconfig/listeners.go
@@ -17,7 +17,6 @@ import (
 	envoy_http_connection_manager "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3"
 	envoy_extensions_transport_sockets_tls_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3"
 	envoy_type_v3 "github.com/envoyproxy/go-control-plane/envoy/type/v3"
-	"github.com/golang/protobuf/ptypes/wrappers"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
@@ -297,7 +296,7 @@ func (b *Builder) buildMainHTTPConnectionManagerFilter(
 			Provider:       tracingProvider,
 		},
 		// See https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#x-forwarded-for
-		UseRemoteAddress:  &wrappers.BoolValue{Value: true},
+		UseRemoteAddress:  &wrapperspb.BoolValue{Value: true},
 		SkipXffAppend:     cfg.Options.SkipXffAppend,
 		XffNumTrustedHops: cfg.Options.XffNumTrustedHops,
 		LocalReplyConfig:  b.buildLocalReplyConfig(cfg.Options),
@@ -485,7 +484,7 @@ func (b *Builder) buildRouteConfiguration(name string, virtualHosts []*envoy_con
 		Name:         name,
 		VirtualHosts: virtualHosts,
 		// disable cluster validation since the order of LDS/CDS updates isn't guaranteed
-		ValidateClusters: &wrappers.BoolValue{Value: false},
+		ValidateClusters: &wrapperspb.BoolValue{Value: false},
 	}, nil
 }
 
@@ -567,8 +566,7 @@ func (b *Builder) buildDownstreamValidationContext(
 	if cfg.Options.DownstreamMTLS.GetEnforcement() == config.MTLSEnforcementRejectConnection {
 		dtc.RequireClientCertificate = wrapperspb.Bool(true)
 	} else {
-		vc.TrustChainVerification =
-			envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED
+		vc.TrustChainVerification = envoy_extensions_transport_sockets_tls_v3.CertificateValidationContext_ACCEPT_UNTRUSTED
 	}
 
 	if crl := cfg.Options.DownstreamMTLS.CRL; crl != "" {
@@ -582,10 +580,9 @@ func (b *Builder) buildDownstreamValidationContext(
 		vc.Crl = b.filemgr.FileDataSource(crlf)
 	}
 
-	dtc.CommonTlsContext.ValidationContextType =
-		&envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
-			ValidationContext: vc,
-		}
+	dtc.CommonTlsContext.ValidationContextType = &envoy_extensions_transport_sockets_tls_v3.CommonTlsContext_ValidationContext{
+		ValidationContext: vc,
+	}
 }
 
 // clientCABundle returns a bundle of the globally configured client CA and any
diff --git a/config/envoyconfig/per_filter_config.go b/config/envoyconfig/per_filter_config.go
index 02fc65eaa..3907b3d78 100644
--- a/config/envoyconfig/per_filter_config.go
+++ b/config/envoyconfig/per_filter_config.go
@@ -4,14 +4,14 @@ import (
 	"strconv"
 
 	envoy_extensions_filters_http_ext_authz_v3 "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3"
-	"github.com/golang/protobuf/ptypes/any"
+	"google.golang.org/protobuf/types/known/anypb"
 )
 
 // PerFilterConfigExtAuthzName is the name of the ext authz filter to apply config to
 const PerFilterConfigExtAuthzName = "envoy.filters.http.ext_authz"
 
 // PerFilterConfigExtAuthzContextExtensions returns a per-filter config for ext authz that disables ext-authz.
-func PerFilterConfigExtAuthzContextExtensions(authzContextExtensions map[string]string) *any.Any {
+func PerFilterConfigExtAuthzContextExtensions(authzContextExtensions map[string]string) *anypb.Any {
 	return marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute{
 		Override: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute_CheckSettings{
 			CheckSettings: &envoy_extensions_filters_http_ext_authz_v3.CheckSettings{
@@ -22,7 +22,7 @@ func PerFilterConfigExtAuthzContextExtensions(authzContextExtensions map[string]
 }
 
 // PerFilterConfigExtAuthzDisabled returns a per-filter config for ext authz that disables ext-authz.
-func PerFilterConfigExtAuthzDisabled() *any.Any {
+func PerFilterConfigExtAuthzDisabled() *anypb.Any {
 	return marshalAny(&envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute{
 		Override: &envoy_extensions_filters_http_ext_authz_v3.ExtAuthzPerRoute_Disabled{
 			Disabled: true,
diff --git a/config/envoyconfig/routes.go b/config/envoyconfig/routes.go
index abef68d02..37207ef0e 100644
--- a/config/envoyconfig/routes.go
+++ b/config/envoyconfig/routes.go
@@ -10,8 +10,7 @@ import (
 	envoy_config_core_v3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
 	envoy_config_route_v3 "github.com/envoyproxy/go-control-plane/envoy/config/route/v3"
 	envoy_type_matcher_v3 "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3"
-	"github.com/golang/protobuf/ptypes/any"
-	"github.com/golang/protobuf/ptypes/wrappers"
+	"google.golang.org/protobuf/types/known/anypb"
 	"google.golang.org/protobuf/types/known/durationpb"
 	"google.golang.org/protobuf/types/known/structpb"
 	"google.golang.org/protobuf/types/known/wrapperspb"
@@ -42,7 +41,7 @@ func (b *Builder) buildGRPCRoutes() ([]*envoy_config_route_v3.Route, error) {
 			Grpc: &envoy_config_route_v3.RouteMatch_GrpcRouteMatchOptions{},
 		},
 		Action: action,
-		TypedPerFilterConfig: map[string]*any.Any{
+		TypedPerFilterConfig: map[string]*anypb.Any{
 			PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
 		},
 	}}, nil
@@ -126,7 +125,7 @@ func (b *Builder) buildControlPlanePathRoute(
 			},
 		},
 		ResponseHeadersToAdd: toEnvoyHeaders(options.GetSetResponseHeaders()),
-		TypedPerFilterConfig: map[string]*any.Any{
+		TypedPerFilterConfig: map[string]*anypb.Any{
 			PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzContextExtensions(MakeExtAuthzContextExtensions(true, 0)),
 		},
 	}
@@ -150,7 +149,7 @@ func (b *Builder) buildControlPlanePrefixRoute(
 			},
 		},
 		ResponseHeadersToAdd: toEnvoyHeaders(options.GetSetResponseHeaders()),
-		TypedPerFilterConfig: map[string]*any.Any{
+		TypedPerFilterConfig: map[string]*anypb.Any{
 			PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzContextExtensions(MakeExtAuthzContextExtensions(true, 0)),
 		},
 	}
@@ -304,11 +303,11 @@ func (b *Builder) buildRouteForPolicyAndMatch(
 		return nil, err
 	}
 	if isFrontingAuthenticate {
-		route.TypedPerFilterConfig = map[string]*any.Any{
+		route.TypedPerFilterConfig = map[string]*anypb.Any{
 			PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzDisabled(),
 		}
 	} else {
-		route.TypedPerFilterConfig = map[string]*any.Any{
+		route.TypedPerFilterConfig = map[string]*anypb.Any{
 			PerFilterConfigExtAuthzName: PerFilterConfigExtAuthzContextExtensions(MakeExtAuthzContextExtensions(false, routeID)),
 		}
 		luaMetadata["remove_pomerium_cookie"] = &structpb.Value{
@@ -396,18 +395,18 @@ func (b *Builder) buildPolicyRouteRouteAction(options *config.Options, policy *c
 	upgradeConfigs := []*envoy_config_route_v3.RouteAction_UpgradeConfig{
 		{
 			UpgradeType: "websocket",
-			Enabled:     &wrappers.BoolValue{Value: policy.AllowWebsockets},
+			Enabled:     &wrapperspb.BoolValue{Value: policy.AllowWebsockets},
 		},
 		{
 			UpgradeType: "spdy/3.1",
-			Enabled:     &wrappers.BoolValue{Value: policy.AllowSPDY},
+			Enabled:     &wrapperspb.BoolValue{Value: policy.AllowSPDY},
 		},
 	}
 
 	if policy.IsTCP() {
 		upgradeConfigs = append(upgradeConfigs, &envoy_config_route_v3.RouteAction_UpgradeConfig{
 			UpgradeType:   "CONNECT",
-			Enabled:       &wrappers.BoolValue{Value: true},
+			Enabled:       &wrapperspb.BoolValue{Value: true},
 			ConnectConfig: &envoy_config_route_v3.RouteAction_UpgradeConfig_ConnectConfig{},
 		})
 	}
@@ -417,7 +416,7 @@ func (b *Builder) buildPolicyRouteRouteAction(options *config.Options, policy *c
 		},
 		UpgradeConfigs: upgradeConfigs,
 		HostRewriteSpecifier: &envoy_config_route_v3.RouteAction_AutoHostRewrite{
-			AutoHostRewrite: &wrappers.BoolValue{Value: !policy.PreserveHostHeader},
+			AutoHostRewrite: &wrapperspb.BoolValue{Value: !policy.PreserveHostHeader},
 		},
 		Timeout:       routeTimeout,
 		IdleTimeout:   idleTimeout,
diff --git a/go.mod b/go.mod
index ac5e79bfe..57d4ea79a 100644
--- a/go.mod
+++ b/go.mod
@@ -16,7 +16,6 @@ require (
 	github.com/caddyserver/certmagic v0.19.2
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/cespare/xxhash/v2 v2.2.0
-	github.com/client9/misspell v0.3.4
 	github.com/cloudflare/circl v1.3.3
 	github.com/coreos/go-oidc/v3 v3.6.0
 	github.com/docker/docker v24.0.6+incompatible
@@ -27,7 +26,6 @@ require (
 	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/go-redis/redis/v8 v8.11.5
 	github.com/golang/mock v1.6.0
-	github.com/golang/protobuf v1.5.3
 	github.com/google/btree v1.1.2
 	github.com/google/go-cmp v0.5.9
 	github.com/google/go-jsonnet v0.20.0
@@ -129,6 +127,7 @@ require (
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
 	github.com/google/go-tpm v0.3.3 // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
@@ -138,7 +137,6 @@ require (
 	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/iancoleman/strcase v0.2.0 // indirect
 	github.com/imdario/mergo v0.3.13 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20221227161230-091c0ba34f0a // indirect
@@ -148,7 +146,6 @@ require (
 	github.com/lib/pq v1.10.7 // indirect
 	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
-	github.com/lyft/protoc-gen-star/v2 v2.0.3 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
@@ -197,7 +194,6 @@ require (
 	go.opentelemetry.io/otel/trace v1.16.0 // indirect
 	go.uber.org/goleak v1.2.1 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 // indirect
 	golang.org/x/mod v0.11.0 // indirect
 	golang.org/x/sys v0.13.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
diff --git a/go.sum b/go.sum
index 158622b16..9d7a6c6b4 100644
--- a/go.sum
+++ b/go.sum
@@ -147,7 +147,6 @@ github.com/chzyer/logex v1.1.10/go.mod h1:+Ywpsq7O8HXn0nuIou7OrIPyXbp3wmkHB+jjWR
 github.com/chzyer/readline v0.0.0-20180603132655-2972be24d48e/go.mod h1:nSuG5e5PlCu98SY8svDHJxuZscDgtXS6KTTbou5AhLI=
 github.com/chzyer/test v0.0.0-20180213035817-a1ea475d72b1/go.mod h1:Q3SI9o4m/ZMnBNeIyt5eFwwo7qiLfzFZmjNmxjkiQlU=
 github.com/cilium/ebpf v0.7.0/go.mod h1:/oI2+1shJiTGAMgl6/RgJr36Eo1jzrRcAWbcXO2usCA=
-github.com/client9/misspell v0.3.4 h1:ta993UF76GwbvJcIo3Y68y/M3WxlpEHPWIGDkJYwzJI=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEMs=
 github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA=
@@ -393,8 +392,6 @@ github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyf
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
 github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU=
-github.com/iancoleman/strcase v0.2.0 h1:05I4QRnGpI0m37iZQRuskXh+w77mr6Z41lwQzuHLwW0=
-github.com/iancoleman/strcase v0.2.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
 github.com/ianlancetaylor/demangle v0.0.0-20181102032728-5e5cf60278f6/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/ianlancetaylor/demangle v0.0.0-20200824232613-28f6c0f3b639/go.mod h1:aSSvb/t6k1mPoxDqO4vJh6VOCGPwU4O0C2/Eqndh1Sc=
 github.com/imdario/mergo v0.3.13 h1:lFzP57bqS/wsqKssCGmtLAb8A0wKjLGrve2q3PPVcBk=
@@ -448,8 +445,6 @@ github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 h1:6E+4a0GO5zZEnZ81pIr0yLvtUWk2if982qA3F3QD6H4=
 github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lyft/protoc-gen-star/v2 v2.0.3 h1:/3+/2sWyXeMLzKd1bX+ixWKgEMsULrIivpDsuaF441o=
-github.com/lyft/protoc-gen-star/v2 v2.0.3/go.mod h1:amey7yeodaJhXSbf/TlLvWiqQfLOSpEk//mLlc+axEk=
 github.com/lyft/protoc-gen-validate v0.0.13/go.mod h1:XbGvPuh87YZc5TdIa2/I4pLk0QoUACkjt2znoq26NVQ=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
@@ -776,8 +771,6 @@ golang.org/x/lint v0.0.0-20191125180803-fdd1cda4f05f/go.mod h1:5qLYkcX4OjUUV8bRu
 golang.org/x/lint v0.0.0-20200130185559-910be7a94367/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/lint v0.0.0-20201208152925-83fdc39ff7b5/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616 h1:VLliZ0d+/avPrXXH+OakdXhpJuEoBZuwh1m2j7U6Iug=
-golang.org/x/lint v0.0.0-20210508222113-6edffad5e616/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mobile v0.0.0-20190312151609-d3739f865fa6/go.mod h1:z+o9i4GpDbdi3rU15maQ/Ox0txvL9dWGYEHz965HBQE=
 golang.org/x/mobile v0.0.0-20190719004257-d2bd2a29d028/go.mod h1:E/iHnbuqvinMTCcRqshq8CkpyQDoeVncDDYHnLhea+o=
 golang.org/x/mod v0.0.0-20190513183733-4bf6d317e70e/go.mod h1:mXi4GBBbnImb6dmsKGUJ2LatrhH/nqhxcFungHvyanc=
diff --git a/internal/testutil/testutil.go b/internal/testutil/testutil.go
index 4e7c62eee..a0933cd06 100644
--- a/internal/testutil/testutil.go
+++ b/internal/testutil/testutil.go
@@ -8,10 +8,10 @@ import (
 	"reflect"
 	"testing"
 
-	"github.com/golang/protobuf/proto"
 	"github.com/google/go-cmp/cmp"
 	"github.com/stretchr/testify/assert"
 	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/reflect/protoreflect"
 	"google.golang.org/protobuf/testing/protocmp"
 )
 
@@ -47,8 +47,7 @@ func reformatJSON(raw json.RawMessage) string {
 }
 
 func toProtoJSON(protoMsg interface{}) json.RawMessage {
-	v2 := proto.MessageV2(protoMsg)
-	bs, _ := protojson.Marshal(v2)
+	bs, _ := protojson.Marshal(protoMsg.(protoreflect.ProtoMessage))
 	return bs
 }
 
diff --git a/pkg/grpc/audit/audit.pb.go b/pkg/grpc/audit/audit.pb.go
index 4434a1db5..2f8820f26 100644
--- a/pkg/grpc/audit/audit.pb.go
+++ b/pkg/grpc/audit/audit.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: audit.proto
 
diff --git a/pkg/grpc/cli/api.pb.go b/pkg/grpc/cli/api.pb.go
index 5861f527d..11cc8bd7f 100644
--- a/pkg/grpc/cli/api.pb.go
+++ b/pkg/grpc/cli/api.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: api.proto
 
diff --git a/pkg/grpc/config/config.pb.go b/pkg/grpc/config/config.pb.go
index 26b0ca481..42751cd6c 100644
--- a/pkg/grpc/config/config.pb.go
+++ b/pkg/grpc/config/config.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: config.proto
 
@@ -341,13 +341,13 @@ type Route struct {
 	// len(load_balancing_weights)
 	LoadBalancingWeights []uint32       `protobuf:"varint,37,rep,packed,name=load_balancing_weights,json=loadBalancingWeights,proto3" json:"load_balancing_weights,omitempty"`
 	Redirect             *RouteRedirect `protobuf:"bytes,34,opt,name=redirect,proto3" json:"redirect,omitempty"`
-	// Deprecated: Marked as deprecated in config.proto.
+	// Deprecated: Do not use.
 	AllowedUsers []string `protobuf:"bytes,4,rep,name=allowed_users,json=allowedUsers,proto3" json:"allowed_users,omitempty"`
 	// repeated string allowed_groups = 5 [ deprecated = true ];
 	//
-	// Deprecated: Marked as deprecated in config.proto.
+	// Deprecated: Do not use.
 	AllowedDomains []string `protobuf:"bytes,6,rep,name=allowed_domains,json=allowedDomains,proto3" json:"allowed_domains,omitempty"`
-	// Deprecated: Marked as deprecated in config.proto.
+	// Deprecated: Do not use.
 	AllowedIdpClaims                          map[string]*structpb.ListValue `protobuf:"bytes,32,rep,name=allowed_idp_claims,json=allowedIdpClaims,proto3" json:"allowed_idp_claims,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
 	Prefix                                    string                         `protobuf:"bytes,7,opt,name=prefix,proto3" json:"prefix,omitempty"`
 	Path                                      string                         `protobuf:"bytes,8,opt,name=path,proto3" json:"path,omitempty"`
@@ -462,7 +462,7 @@ func (x *Route) GetRedirect() *RouteRedirect {
 	return nil
 }
 
-// Deprecated: Marked as deprecated in config.proto.
+// Deprecated: Do not use.
 func (x *Route) GetAllowedUsers() []string {
 	if x != nil {
 		return x.AllowedUsers
@@ -470,7 +470,7 @@ func (x *Route) GetAllowedUsers() []string {
 	return nil
 }
 
-// Deprecated: Marked as deprecated in config.proto.
+// Deprecated: Do not use.
 func (x *Route) GetAllowedDomains() []string {
 	if x != nil {
 		return x.AllowedDomains
@@ -478,7 +478,7 @@ func (x *Route) GetAllowedDomains() []string {
 	return nil
 }
 
-// Deprecated: Marked as deprecated in config.proto.
+// Deprecated: Do not use.
 func (x *Route) GetAllowedIdpClaims() map[string]*structpb.ListValue {
 	if x != nil {
 		return x.AllowedIdpClaims
@@ -1606,7 +1606,7 @@ func (x *Settings) GetCodecType() v31.HttpConnectionManager_CodecType {
 	if x != nil && x.CodecType != nil {
 		return *x.CodecType
 	}
-	return v31.HttpConnectionManager_CodecType(0)
+	return v31.HttpConnectionManager_AUTO
 }
 
 func (x *Settings) GetAuditKey() *crypt.PublicKeyEncryptionKey {
diff --git a/pkg/grpc/crypt/crypt.pb.go b/pkg/grpc/crypt/crypt.pb.go
index 8680dcfd1..5a43de911 100644
--- a/pkg/grpc/crypt/crypt.pb.go
+++ b/pkg/grpc/crypt/crypt.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: crypt.proto
 
diff --git a/pkg/grpc/databroker/databroker.go b/pkg/grpc/databroker/databroker.go
index e47641f4a..91a57f7a7 100644
--- a/pkg/grpc/databroker/databroker.go
+++ b/pkg/grpc/databroker/databroker.go
@@ -16,8 +16,8 @@ import (
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )
 
-//go:generate go run github.com/golang/mock/mockgen -source=databroker.pb.go -destination ./mock_databroker/databroker.pb.go DataBrokerServiceClient
-//go:generate go run github.com/golang/mock/mockgen -source=leaser.go -destination ./mock_databroker/leaser.go LeaserHandler
+//go:generate go run github.com/golang/mock/mockgen@v1.6.0 -source=databroker.pb.go -destination ./mock_databroker/databroker.pb.go DataBrokerServiceClient
+//go:generate go run github.com/golang/mock/mockgen@v1.6.0 -source=leaser.go -destination ./mock_databroker/leaser.go LeaserHandler
 
 type recordObject interface {
 	proto.Message
diff --git a/pkg/grpc/databroker/databroker.pb.go b/pkg/grpc/databroker/databroker.pb.go
index 1190ca42d..7f8c30b83 100644
--- a/pkg/grpc/databroker/databroker.pb.go
+++ b/pkg/grpc/databroker/databroker.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: databroker.proto
 
diff --git a/pkg/grpc/databroker/mock_databroker/databroker.pb.go b/pkg/grpc/databroker/mock_databroker/databroker.pb.go
index 1b23bcab8..b73c27f1e 100644
--- a/pkg/grpc/databroker/mock_databroker/databroker.pb.go
+++ b/pkg/grpc/databroker/mock_databroker/databroker.pb.go
@@ -355,7 +355,7 @@ func (mr *MockDataBrokerService_SyncClientMockRecorder) Recv() *gomock.Call {
 }
 
 // RecvMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncClient) RecvMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncClient) RecvMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "RecvMsg", m)
 	ret0, _ := ret[0].(error)
@@ -369,7 +369,7 @@ func (mr *MockDataBrokerService_SyncClientMockRecorder) RecvMsg(m interface{}) *
 }
 
 // SendMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncClient) SendMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncClient) SendMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "SendMsg", m)
 	ret0, _ := ret[0].(error)
@@ -478,7 +478,7 @@ func (mr *MockDataBrokerService_SyncLatestClientMockRecorder) Recv() *gomock.Cal
 }
 
 // RecvMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncLatestClient) RecvMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncLatestClient) RecvMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "RecvMsg", m)
 	ret0, _ := ret[0].(error)
@@ -492,7 +492,7 @@ func (mr *MockDataBrokerService_SyncLatestClientMockRecorder) RecvMsg(m interfac
 }
 
 // SendMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncLatestClient) SendMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncLatestClient) SendMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "SendMsg", m)
 	ret0, _ := ret[0].(error)
@@ -728,7 +728,7 @@ func (mr *MockDataBrokerService_SyncServerMockRecorder) Context() *gomock.Call {
 }
 
 // RecvMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncServer) RecvMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncServer) RecvMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "RecvMsg", m)
 	ret0, _ := ret[0].(error)
@@ -770,7 +770,7 @@ func (mr *MockDataBrokerService_SyncServerMockRecorder) SendHeader(arg0 interfac
 }
 
 // SendMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncServer) SendMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncServer) SendMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "SendMsg", m)
 	ret0, _ := ret[0].(error)
@@ -847,7 +847,7 @@ func (mr *MockDataBrokerService_SyncLatestServerMockRecorder) Context() *gomock.
 }
 
 // RecvMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncLatestServer) RecvMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncLatestServer) RecvMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "RecvMsg", m)
 	ret0, _ := ret[0].(error)
@@ -889,7 +889,7 @@ func (mr *MockDataBrokerService_SyncLatestServerMockRecorder) SendHeader(arg0 in
 }
 
 // SendMsg mocks base method.
-func (m_2 *MockDataBrokerService_SyncLatestServer) SendMsg(m interface{}) error {
+func (m_2 *MockDataBrokerService_SyncLatestServer) SendMsg(m any) error {
 	m_2.ctrl.T.Helper()
 	ret := m_2.ctrl.Call(m_2, "SendMsg", m)
 	ret0, _ := ret[0].(error)
diff --git a/pkg/grpc/device/device.pb.go b/pkg/grpc/device/device.pb.go
index b6a4da065..48c5e6d19 100644
--- a/pkg/grpc/device/device.pb.go
+++ b/pkg/grpc/device/device.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: device.proto
 
diff --git a/pkg/grpc/events/last_error.pb.go b/pkg/grpc/events/last_error.pb.go
index 79ce2f997..95e4add19 100644
--- a/pkg/grpc/events/last_error.pb.go
+++ b/pkg/grpc/events/last_error.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: last_error.proto
 
diff --git a/pkg/grpc/identity/identity.pb.go b/pkg/grpc/identity/identity.pb.go
index 7b0bac831..100e1858f 100644
--- a/pkg/grpc/identity/identity.pb.go
+++ b/pkg/grpc/identity/identity.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: identity.proto
 
diff --git a/pkg/grpc/registry/registry.pb.go b/pkg/grpc/registry/registry.pb.go
index 8f88669e0..e37174fbe 100644
--- a/pkg/grpc/registry/registry.pb.go
+++ b/pkg/grpc/registry/registry.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: registry.proto
 
diff --git a/pkg/grpc/session/session.pb.go b/pkg/grpc/session/session.pb.go
index ab589a0c7..11c63d4f3 100644
--- a/pkg/grpc/session/session.pb.go
+++ b/pkg/grpc/session/session.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: session.proto
 
diff --git a/pkg/grpc/user/user.pb.go b/pkg/grpc/user/user.pb.go
index f33d7c4f6..2075969ae 100644
--- a/pkg/grpc/user/user.pb.go
+++ b/pkg/grpc/user/user.pb.go
@@ -1,6 +1,6 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
-// 	protoc-gen-go v1.31.0
+// 	protoc-gen-go v1.26.0
 // 	protoc        v3.21.7
 // source: user.proto
 
diff --git a/pkg/storage/postgres/registry.go b/pkg/storage/postgres/registry.go
index d0e7dfd12..6d7efe05c 100644
--- a/pkg/storage/postgres/registry.go
+++ b/pkg/storage/postgres/registry.go
@@ -4,7 +4,7 @@ import (
 	"context"
 	"time"
 
-	"github.com/golang/protobuf/proto"
+	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/durationpb"
 
 	"github.com/pomerium/pomerium/internal/sets"
diff --git a/scripts/protoc-gen-go b/scripts/protoc-gen-go
index b4065945f..bdac981de 100755
--- a/scripts/protoc-gen-go
+++ b/scripts/protoc-gen-go
@@ -1,3 +1,3 @@
 #!/bin/bash
 set -euo pipefail
-exec go run github.com/golang/protobuf/protoc-gen-go "$@"
+exec go run github.com/golang/protobuf/protoc-gen-go@v1.5.3 "$@"
diff --git a/scripts/protoc-gen-validate b/scripts/protoc-gen-validate
index 78c8dc20c..a102d4943 100755
--- a/scripts/protoc-gen-validate
+++ b/scripts/protoc-gen-validate
@@ -1,3 +1,3 @@
 #!/bin/bash
 set -euo pipefail
-exec go run github.com/envoyproxy/protoc-gen-validate "$@"
+exec go run github.com/envoyproxy/protoc-gen-validate@v1.0.2 "$@"
diff --git a/tools.go b/tools.go
deleted file mode 100644
index de59acd09..000000000
--- a/tools.go
+++ /dev/null
@@ -1,11 +0,0 @@
-//go:build tools
-// +build tools
-
-package pomerium
-
-import (
-	_ "github.com/client9/misspell/cmd/misspell"
-	_ "github.com/envoyproxy/protoc-gen-validate"
-	_ "github.com/golang/mock/mockgen"
-	_ "github.com/golang/protobuf/protoc-gen-go"
-)