Docs for how to configure endpoint mTLS

These docs describe how to enable mTLS for an endpoint, reflecting a
pending release (not yet in GA).

docs/receiving/using-app-portal/adding-endpoints.mdx

@@ -24,3 +24,30 @@ full descriptions of each endpoint as well as all the fields they send.
 If you don't specify any event types, by default, your endpoint will receive all events, regardless of type.
 This can be helpful for getting started and for testing, but we recommend changing this to a subset later on
 to avoid receiving unexpected messages.
+
+### Configuring mTLS
+
+Svix now supports Mutual TLS (mTLS), per endpoint. At this time this feature is only configurable via API.
+
+- `PUT $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to set the configuration options.
+- `DELETE $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to clear any previously set configuration.
+
+The `PUT` body consists of two keys:
+- `identity` (required) a PEM encoded private key and X509 certificate used by the webhook sender to authenticate itself.
+- `serverCaCert` (optional) a CA cert to use for validating the webhook receiver's cert.
+
+
+Example:
+
+```sh
+# using jq here to escape the newlines and produce a quoted string
+CLIENT_PEM="$(cat client.pem | jq -sR .)"
+
+curl -sS -H "Authorization: Bearer $TOKEN" \
+	-H "content-type: application/json" \
+	-X PUT \
+	-d '{"identity":'"$CLIENT_PEM"'}' \
+	$SVIX_ROOT/api/v1/app/my-app/endpoint/my-endpoint/mtls
+```
+
+When `serverCaCert` is unset, the standard system CA certificates are used to verify the webhook receiver.