Skip to main content

What is mTLS?

Mutual TLS (mTLS) is a security protocol that enhances the standard TLS protocol by requiring both the client and the server to authenticate each other using digital certificates.

Key Features of mTLS

  1. Two-Way Authentication: Both client and server present certificates to verify identities.
  2. Secure Data Transmission: All communication is encrypted, protecting sensitive data from unauthorized access or tampering.
  3. Trusted Certificates: Certificates issued by trusted Certificate Authorities establish trust between parties.

Why Use mTLS?

mTLS provides a higher level of security by combining encryption with mutual authentication, making it ideal for securing APIs, webhooks, and sensitive data exchanges.

How mTLS Works

  1. Certificate Exchange: Both the client and server exchange certificates to verify their identities.
  2. TLS Handshake: A secure handshake is performed, generating session keys for encrypted communication.
  3. Encrypted Communication: All data exchanged is encrypted, ensuring privacy and integrity.

mTLS for Public APIs

To ensure secure access to Transcrypts’s public APIs, mTLS is implemented for the following endpoints:
EnvironmentEndpoint
Productionapi-mtls.transcrypts.com

Steps to Connect

1. Generate a Private Key and CSR

Use supported formats (X.509v3, RSA/ECDSA keys, SHA256). Include details like common name, organization, and location. Example CSR format: 
CN: api-mtls.<name>.transcrypts.com
O: Transcrypts Inc
L: Miami
ST: Florida
C: US

2. Submit CSR to Transcrypts

Transcrypts will issue a signed certificate valid for one year.

3. Connect to API

Use the signed certificate and private key to authenticate. 
curl --cert $CERT.pem --key $PRIVATE_KEY.key $URL

4. Work with Transcrypts Support

Complete setup and enable for your account.

5. Use Transcrypts’s Client ID and Access Key

Reference the API Keys documentation for details.

mTLS for Webhooks

Transcrypts supports mTLS for webhook communication, ensuring secure and trusted data exchange between Transcrypts and its clients.

Webhook Authentication Options

Using Transcrypts’s Signed Certificate

Transcrypts provides a public certificate (domain: mtls-prod.transcrypts.com) that clients can configure on their server to establish an mTLS connection.

Using Client-Signed Certificate

Transcrypts can submit a Certificate Signing Request (CSR) to the client. The client issues a signed certificate, which Transcrypts uses along with the private key for authentication.

Originating IP Address

Refer to the Webhooks documentation for information about IP addresses in use for webhooks. Some clients will require explicit configuration to enable access by Transcrypts.

Configuring Custom Headers for Webhooks

Transcrypts allows clients to configure custom headers when invoking webhooks. This can include passing a Client ID and Client Secret for additional authentication. Work with Transcrypts to configure these settings.