Skip to Content

Configure mutual TLS / mTLS

Published: 2022-06-27

When using HTTP-based origins with WunderGraph, it might be the case that your origin requires you to use mutual TLS / mTLS for authentication. Mutual TLS is a security feature that requires the client to authenticate with the server using a certificate.

This feature is available to all HTTP-based DataSources, meaning that it's possible to use with GraphQL and REST APIs.

To configure it, add the mTLS section to the DataSource introspection config. Then add an EnvironmentVariable for both key and cert. Enable insecureSkipVerify only if you want to accept any certificate presented by the server and any host name in that certificate. For GraphQL DataSources the key and cert environment variables must available at wunderctl up to introspect the API with the correct TLS settings.

const superSecureAPI = introspect.graphql({
apiNamespace: 'secure',
url: '',
mTLS: {
key: new EnvironmentVariable("KEY"),
cert: new EnvironmentVariable("CERT"),
insecureSkipVerify: true,

Certificate Format#

Certificates need to be in PEM format (Base64 encoded). Example of a certificate (ca.pem):


Environment Variables#

In order to pass a certificate as environment variable, you have to format it correctly with LF (Line Feed) characters. Use this snippet to transform it:

awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' ca.pem



Local .env file#

By default WunderGraph loads a local .env file from your working directory. Ensure to quote the values in the file, otherwise the characters aren't interpreted correctly.




Subscribe to our newsletter!

Stay informed when great things happen! Get the latest news about APIs, GraphQL and more straight into your mailbox.

© 2022 WunderGraph