Mutual TLS is a form of TLS where both sides of the connection authenticate with certificates instead of only the server doing so.
Mutual TLS, often called mTLS, is a form of TLS where both sides of the connection authenticate with certificates instead of only the server doing so. In plain language, it means the client proves its identity with a certificate too, not just the service it is calling.
Mutual TLS matters because some systems need stronger trust between services, devices, or workloads than a server-only certificate check provides. It adds another layer of identity assurance at the connection level.
It also matters because it can reduce reliance on weaker shared secrets for machine-to-machine trust in the right environments.
Mutual TLS appears in service-to-service communication, API gateways, internal PKI deployments, device identity, and zero-trust network designs. Teams connect it to TLS, Digital Certificate, Certificate Authority, Workload Identity, and Authentication.
It is especially valuable when one service needs stronger assurance about the specific client or workload calling it.
A company’s internal API gateway requires certificates from both the calling service and the destination service. If either side cannot present a trusted certificate, the connection is refused.
Mutual TLS is not the same as ordinary TLS. Ordinary TLS commonly authenticates the server to the client, while mTLS adds client-side certificate authentication as well.
It is also not a full replacement for application-layer Authorization. Connection trust helps, but the application may still need to decide what an authenticated client is allowed to do.