Transport Layer Security (TLS) and mutual TLS (mTLS) are critical for securing communication between services. TLS ensures encrypted transport, while mTLS adds client certificate enforcement for stronger mutual trust. This topic explains how TLS and mTLS apply to the MCP server and downstream services.

Server transport security

The MCP interface uses TLS to secure all communication between clients and the server. TLS provides encryption and integrity for data in transit.
  • TLS—Wraps the MCP interface to protect against eavesdropping and tampering.
  • mTLS—Adds client certificate enforcement, ensuring that both the server and client authenticate each other. This creates a stronger trust model.

Downstream TLS and mTLS configuration

Downstream services can be configured independently for TLS or mTLS. This flexibility allows you to supply a separate client identity when calling upstream APIs.
  • Independent configuration—Downstream TLS and mTLS settings do not depend on MCP server settings.
  • Separate client identity—You can provide a unique client certificate for upstream API calls to differentiate identities across services.