Security

mTLS

Mutual TLS — both client and server present certificates.

In plain terms

Service mesh default for cross-service auth. Token-binding alternative is DPoP.

Origin

Mutual TLS is just TLS with client authentication enabled — the option has been in TLS since SSL 3.0 (1996). Made operationally practical at scale by service-mesh tooling around 2017.

Where it shows up in production

Istio / Linkerd Automatic mTLS between every pod via injected sidecars. Zero-touch for the application.
SPIFFE / SPIRE Workload identities issued as X.509 certs; mTLS is the default transport.
Cloudflare Access Replaces VPNs with mTLS-authenticated zero-trust access to internal services.

On Semicolony

Guide oauth

Sources & further reading

Docs Cloudflare — What is mTLS?
Docs SPIFFE SVID specification

Found this useful?