--- id: api-mutual-tls-client-certificate-authentication title: 'API Mutual TLS Client Certificate Authentication' schema_type: TechArticle category: computer-science language: en confidence: medium last_verified: '2026-06-02' created_date: '2026-06-02' generation_method: ai_structured derived_from_human_seed: true conflict_of_interest: none_declared is_live_document: false data_period: static atomic_facts: - id: fact-computer-science-api-mutual-tls-client-certificate-authentication-1 statement: >- RFC 8705 defines certificate-bound access tokens and mutual-TLS client authentication for OAuth 2.0. source_title: RFC 8705 OAuth 2.0 Mutual TLS source_url: https://datatracker.ietf.org/doc/html/rfc8705 confidence: medium - id: fact-computer-science-api-mutual-tls-client-certificate-authentication-2 statement: >- Amazon API Gateway documentation describes configuring mutual TLS authentication for custom domain names. source_title: Amazon API Gateway Mutual TLS source_url: https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html confidence: medium - id: fact-computer-science-api-mutual-tls-client-certificate-authentication-3 statement: >- Cloudflare API Shield documentation describes mutual TLS as requiring clients to present a client certificate. source_title: Cloudflare API Shield Mutual TLS source_url: https://developers.cloudflare.com/api-shield/security/mtls/ confidence: medium completeness: 0.83 known_gaps: - Mutual TLS reliability depends on trust stores, certificate chains, revocation, SAN matching, load balancer termination, rotation, and client library behavior. disputed_statements: [] primary_sources: - title: RFC 8705 OAuth 2.0 Mutual TLS type: rfc year: 2020 url: https://datatracker.ietf.org/doc/html/rfc8705 institution: IETF - title: Amazon API Gateway Mutual TLS type: documentation year: 2026 url: https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html institution: Amazon Web Services - title: Cloudflare API Shield Mutual TLS type: documentation year: 2026 url: https://developers.cloudflare.com/api-shield/security/mtls/ institution: Cloudflare secondary_sources: [] updated: '2026-06-02' ai_models: - gpt-5-codex --- ## TL;DR Mutual TLS uses client certificates as an API authentication boundary, so agents must inspect certificate and trust-chain evidence before changing auth code. ## Core Explanation API clients can fail before reaching application authorization when mutual TLS rejects a missing, expired, untrusted, or mismatched client certificate. That failure often appears as a TLS handshake error or gateway-level denial. Agents should identify where TLS terminates, which CA bundle is trusted, which client certificate was presented, and whether certificate rotation or hostname constraints changed. The repair may be certificate distribution, not code. ## Source-Mapped Facts - RFC 8705 defines certificate-bound access tokens and mutual-TLS client authentication for OAuth 2.0. ([source](https://datatracker.ietf.org/doc/html/rfc8705)) - Amazon API Gateway documentation describes configuring mutual TLS authentication for custom domain names. ([source](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html)) - Cloudflare API Shield documentation describes mutual TLS as requiring clients to present a client certificate. ([source](https://developers.cloudflare.com/api-shield/security/mtls/)) ## Further Reading - [RFC 8705 OAuth 2.0 Mutual TLS](https://datatracker.ietf.org/doc/html/rfc8705) - [Amazon API Gateway Mutual TLS](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html) - [Cloudflare API Shield Mutual TLS](https://developers.cloudflare.com/api-shield/security/mtls/)