Every service proves its identity. Every connection is verified.
Mutual TLS without the complexity – client certificates issued by Trust CA, deployed and rotated automatically.
What it does
Certificate-based identity for every service. Issued, distributed, rotated, and revoked – without manual intervention.
Client certificate issuance
Client certificates issued by Trust CA – scoped to service, environment, and role.
Automatic distribution
Certificates delivered to services automatically. No manual copying, no shared secrets, no out-of-band transfers.
Rotation without downtime
Certificates rotate on schedule. No restarts, no connection drops, no coordination across teams.
Instant revocation
Compromised service? Revoke its certificate immediately. Every relying party knows within seconds – not at next renewal.
Identity-based access
Access decisions based on cryptographic identity – not network position, IP allowlists, or shared API keys.
A2A identity support
The same certificate infrastructure extends to AI agents. Every agent gets a verifiable identity – not just an API key.
How it works
Both sides of every connection prove identity before exchanging a single byte.
- Trust based on network position
- API keys and shared secrets
- Internal traffic implicitly trusted
- No per-service identity
- Trust based on cryptographic identity
- Client certificates per service
- Every connection authenticated both ways
- Revocable, auditable, rotatable
mTLS isn't just for services
AI agents are the hidden multiplier of machine identity. Every agent that calls an API, accesses a database, or communicates with another agent needs a verifiable identity – not an API key that can be copied, shared, or leaked.
mTLS gives agents the same cryptographic identity as services. The same issuance, rotation, and revocation – extended to every autonomous system in your infrastructure.
Learn about A2A IdentityWhere mTLS matters most
Every pod gets a cryptographic identity. Service-to-service communication authenticated at the TLS layer – not with tokens or service account keys.
Works with Istio, Linkerd, and custom mesh configurations.
Network position is not identity. mTLS enforces authentication at every service boundary – the infrastructure layer that makes zero-trust real, not theoretical.
Enforced authentication, not policy documents.
FAPI 2.0 and PSD2 require certificate-bound tokens and mutual authentication. mTLS is not optional in these environments – it's mandated.
FAPI 2.0, PSD2, and financial-grade API security.
Part of [cyphrs]™ Hub
mTLS depends on the rest of the platform. Every module plays a role.
Trust CA issues the client certificates that power mTLS. Every identity traces back to a root you own.
Public certificates at the edge via ACME ARI automated renewal. mTLS internally. Hub routes each certificate to the right authority.
Scout discovers services that should be using mTLS but aren't – then closes the gap by deploying certificates automatically.
Identity for every service. Verified at every connection.
Early access is free. We're working with a small number of teams to shape the platform.