Cloudflare Docs
Workers
Edit this page on GitHub
Set theme to dark (⇧+D)

Client authentication with mTLS

When using HTTPS, a server presents a certificate for the client to authenticate in order to prove their identity. For even tighter security, some services require that the client also present a certificate.

This process - known as mTLS - moves authentication to the protocol of TLS, rather than managing it in application code. Connections from unauthorized clients are rejected during the TLS handshake instead.

To present a client certificate when communicating with a service, create a mTLS certificate binding in your Worker project’s wrangler.toml file. This will allow your Worker to present a client certificate to a service on your behalf.

First, upload a certificate and its private key to your account using the wrangler mtls-certificate command:

$ npx wrangler mtls-certificate upload --cert cert.pem --key key.pem --name my-client-cert

Then, update your Worker project’s wrangler.toml file to create an mTLS certificate binding:

wrangler.toml
mtls_certificates = [
{ binding = "MY_CERT", certificate_id = "<CERTIFICATE_ID>" }
]

Adding an mTLS certificate binding includes a variable in the Worker’s environment on which the fetch() method is available. This fetch() method uses the standard Fetch API and has the exact same signature as the global fetch, but always presents the client certificate when establishing the TLS connection.

​​ Interface

export default {
async fetch(request, environment) {
return await environment.MY_CERT.fetch("https://a-secured-origin.com")
}
}
interface Env {
MY_CERT: Fetcher;
}
export default {
async fetch(request, environment): Promise<Response> {
return await environment.MY_CERT.fetch("https://a-secured-origin.com")
}
} satisfies ExportedHandler<Env>;