Two Way Authentication
In ordinary TLS only the server proves who it is. The client stays anonymous at the transport layer and authenticates later with a password or token. Mutual TLS, often called mTLS, adds a second step: the client also presents a certificate, so both ends are verified before any application data flows.
This is widely used for service to service communication inside a system, where every service holds its own certificate issued by an internal authority.
How It Changes the Handshake
- The server sends a CertificateRequest asking the client to authenticate.
- The client responds with its certificate and a signed proof it holds the matching private key.
- The server validates that the client certificate chains to a trusted internal authority.
Why It Is Strong
mTLS ties identity to a private key rather than a shared secret. Stolen bearer tokens can be replayed, but a certificate proof requires the private key, which never leaves the holder. Combined with short lived certificates, it gives strong, automatically rotating identity for machines.
Key idea
Mutual TLS makes both client and server present certificates, binding identity to a private key instead of a replayable secret, which is ideal for authenticating services to each other.