mTLS
When using HTTPS ↗, a server presents a certificate for the client to authenticate in order to prove their identity. For even tighter security, some services require that the client also present a certificate.
This process - known as mTLS ↗ - moves authentication to the protocol of TLS, rather than managing it in application code. Connections from unauthorized clients are rejected during the TLS handshake instead.
To present a client certificate when communicating with a service, create a mTLS certificate binding in your Worker project's wrangler.toml
file. This will allow your Worker to present a client certificate to a service on your behalf.
First, upload a certificate and its private key to your account using the wrangler mtls-certificate
command:
Then, update your Worker project's wrangler.toml
file to create an mTLS certificate binding:
Adding an mTLS certificate binding includes a variable in the Worker's environment on which the fetch()
method is available. This fetch()
method uses the standard Fetch API and has the exact same signature as the global fetch
, but always presents the client certificate when establishing the TLS connection.