Cloudflare Docs
Learning Paths
Edit this page on GitHub
Set theme to dark (⇧+D)

Mutual TLS (mTLS)

  1 min read

Mutual TLS (mTLS) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.

mTLS sequence diagram

Support includes gRPC-based APIs, which use binary formats such as protocol buffers rather than JSON.

​​ Creating a mTLS rule

  1. Log in to the Cloudflare dashboard and select your account and domain.

  2. Go to SSL/TLS > Client Certificates.

  3. Select Create a mTLS rule.

  4. In Custom rules, several rule parameters have already been filled in. Enter the URI path you want to protect in Value.

  5. (Optional) Add a Hostname field and enter the mTLS-enabled hostnames you wish to protect in Value.

  6. In Choose action, select Block.

  7. Select Deploy to make the rule active.

Once you have deployed your mTLS rule, any requests without a valid client certificate will be blocked.