Stay organized with collections Save and categorize content based on your preferences.
Mutual TLS (mTLS) is an industry standard protocol for mutual authentication between a client and a server. The mTLS protocol ensures that both the client and server, at each end of a network connection, are who they claim they are by verifying that both possess the private key associated with the client certificate.
What is a client certificate?A client certificate, also called a Transport Layer Security (TLS) certificate, is a file that contains important information for verifying a device's identity. The certificate information includes the public key, a statement of who issued the certificate (certificates can be issued by certificate authorities or self- signed), and the certificate's expiration date.
How the Google APIs validate device identityThe TLS protocol uses a technique called public key infrastructure (PKI), which relies on a pair of asymmetric keys: a public key and a private key. Anything encrypted with the private key can be decrypted only with the public key. The Google Cloud APIs use the TLS protocol to verify the identity of a device by decrypting the message encrypted by the private key using the public key of the certificate during the mTLS handshake. The successful decryption proves the possession of the private key which is only available from trusted devices.
To enable the mTLS handshake and validation process, a client must do the following:
Establish an mTLS connection with the Google APIs by using mTLS-specific API endpoints. The mTLS-specific endpoints have the following format: [service].mtls.googleapis.com
Discover and use the device certificate during the mTLS handshake. If you are using Endpoint Verification for certificate deployment, this type of certificate is automatically discovered and used by the supported clients.
The following diagram illustrates the mTLS handshake between a client and a Google API server:
What's nextExcept as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-10-13 UTC.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-10-13 UTC."],[],[]]
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.5