Deepak Gupta

Mutual TLS

mTLS.

A TLS variant where both client and server present X.509 certificates to authenticate each other, used for service-to-service auth and high-assurance API access.

mTLS is operationally heavier than bearer tokens, certificate provisioning, rotation, and revocation become first-class concerns. The right fit is service-to-service traffic at scale (where token theft is the binding threat) and regulated APIs (where the spec requires sender-constrained auth). For browser-based auth, DPoP is usually the lighter alternative.

Common questions

When does mTLS make sense over OAuth?

How does mTLS compare to DPoP?

Is mTLS supported in browser auth?

Related terms

In the guides

OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.