Client authentication with mTLS
When using HTTPS, a server presents a certificate for the client to authenticate in order to prove their identity. For even tighter security, some services require that the client also present a certificate.
This process - known as mTLS - moves authentication to the protocol of TLS, rather than managing it in application code. Connections from unauthorized clients are rejected during the TLS handshake instead.
To present a client certificate when communicating with a service, create a mTLS certificate binding in your Worker project’s wrangler.toml
file. This will allow your Worker to present a client certificate to a service on your behalf.
First, upload a certificate and its private key to your account using the wrangler mtls-certificate
command:
$ wrangler mtls-certificate upload --cert cert.pem --key key.pem --name my-client-cert
Then, update your Worker project’s wrangler.toml
file to create an mTLS certificate binding:
wrangler.tomlmtls_certificates = [ { binding = "MY_CERT", certificate_id = "<CERTIFICATE_ID>" } ]
Adding an mTLS certificate binding includes a variable in the Worker’s environment on which the fetch()
method is available. This fetch()
method uses the standard Fetch API and has the exact same signature as the global fetch
, but always presents the client certificate when establishing the TLS connection.
Interface
export default { async fetch(request, environment) { return await environment.MY_CERT.fetch("https://a-secured-origin.com") }
}
interface Env { MY_CERT: Fetcher;
}
export default { async fetch(request: Request, environment: Env) { return await environment.MY_CERT.fetch("https://a-secured-origin.com") }
}