Mutual TLS (mTLS) extends standard TLS by requiring the client to present a certificate that the server validates, in addition to the server presenting its certificate. Both ends prove their identity cryptographically. mTLS is the standard for service-to-service authentication in modern microservice architectures and is foundational to zero-trust networks.
In standard TLS, only the server has a certificate (signed by a CA the client trusts). The client trusts the server, but the server trusts only the credentials sent over the encrypted channel. In mTLS, the server is configured to require a client certificate. The client presents one signed by a CA the server trusts, and the server validates it during the handshake. If validation fails, the connection drops.
Operational complexity: managing client certificates, rotating them, revoking compromised ones. Service meshes (Istio, Linkerd) automate this, issuing short-lived certificates to every workload via SPIFFE identities. For HTTP APIs, mTLS replaces or supplements API keys, with much stronger guarantees.
mTLS gives you cryptographic identity for every machine in the system. Combined with policy controls, it enforces "service A can talk to service B but not C" at the network level. For high-trust environments (financial services, government, healthcare), mTLS is increasingly required.
The curl cheat sheet includes flags for testing mTLS endpoints with client certificates.