STANDARD

OAuth mTLS (RFC 8705) — Primer

OAuth mTLS (RFC 8705) authenticates clients with mutual‑TLS and binds access tokens to the client certificate (sender‑constrained).

Visual representation of OAuth mTLS (RFC 8705) standard

← All standards

Why it matters

Standards reduce risk and vendor lock‑in. We implement this spec across our Studios and runtime so policy is portable.

Where it’s enforced

Gateway: pre‑execution gating (plan/schema pins, params/egress)
Shield: inline budgets/stream caps/content checks
PDP: decisions with constraints/obligations/TTL
IdP: passports, token exchange, consent/DPoP

How it works (high level)

RFC 8705 defines OAuth mTLS: client auth at AS and certificate‑bound access tokens at RS. Two auth modes: tls_client_auth (CA‑issued) and self_signed_tls_client_auth. Tokens carry cnf with x5t#S256.

"cnf": {"x5t#S256": "dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk"}

mermaid
sequenceDiagram
  participant Client
  participant AS as Authorization Server (mTLS)
  participant RS as Resource Server (mTLS)
  Client->>AS: TLS handshake (client cert) + /token
  AS-->>Client: cert-bound access_token (cnf.x5t#S256)
  Client->>RS: TLS handshake (same cert) + request
  RS->>RS: Verify cert thumbprint matches token

References

RFC 8705: OAuth mTLS

← DPoP (RFC 9449)

All standards

Dynamic Client Registration (RFC 7591/7592) →