mTLS Auth Policy

This policy will authenticate users based on mTLS certificates that are configured for your project. This policy is available only to enterprise customers (contact to request info). When a requests is authenticated with an mTLS certificate, the certificate data will be set as the user object of the request. The user.sub property will be the value of the certificates DN.

Paid Add On

This policy is only available as a paid add-on. If you would like to try this please reach out to us:


The configuration shows how to configure the policy in the 'policies.json' document.

{ "name": "my-mtls-auth-inbound-policy", "policyType": "mtls-auth-inbound", "handler": { "export": "MTLSAuthInboundPolicy", "module": "$import(@zuplo/runtime)", "options": { "allowExpiredCertificates": false, "allowRevokedCertificates": false, "allowUnauthenticatedRequests": false } } }

Policy Configuration

  • name <string> - The name of your policy instance. This is used as a reference in your routes.
  • policyType <string> - The identifier of the policy. This is used by the Zuplo UI. Value should be mtls-auth-inbound.
  • handler.export <string> - The name of the exported type. Value should be MTLSAuthInboundPolicy.
  • handler.module <string> - The module containing the policy. Value should be $import(@zuplo/runtime).
  • handler.options <object> - The options for this policy. See Policy Options below.

Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

  • allowUnauthenticatedRequests <boolean> -
    Indicates whether the request should continue if authentication fails. Default is false which means unauthenticated users will automatically receive a 401 response.
    Defaults to false.
  • allowExpiredCertificates <boolean> -
    Indicates whether the request should continue if the certificate is expired.
    Defaults to false.
  • allowRevokedCertificates <boolean> -
    Indicates whether the request should continue if the certificate is revoked.
    Defaults to false.

Using the Policy

Read more about how policies work

Basic Auth