Skip to content

Commit

Permalink
Docs for how to configure endpoint mTLS
Browse files Browse the repository at this point in the history
These docs describe how to enable mTLS for an endpoint, reflecting a
pending release (not yet in GA).
  • Loading branch information
svix-onelson committed May 30, 2024
1 parent e6dde19 commit 8432a91
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions docs/receiving/using-app-portal/adding-endpoints.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,30 @@ full descriptions of each endpoint as well as all the fields they send.
If you don't specify any event types, by default, your endpoint will receive all events, regardless of type.
This can be helpful for getting started and for testing, but we recommend changing this to a subset later on
to avoid receiving unexpected messages.

### Configuring mTLS

Svix now supports Mutual TLS (mTLS), per endpoint. At this time this feature is only configurable via API.

- `PUT $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to set the configuration options.
- `DELETE $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to clear any previously set configuration.

The `PUT` body consists of two keys:
- `identity` (required) a PEM encoded private key and X509 certificate.
- `serverCaCert` (optional) a CA cert to use for validating the webhook receiver's cert.


Example:

```sh
# using jq here to escape the newlines and produce a quoted string
CLIENT_PEM="$(cat client.pem | jq -sR .)"

curl -sS -H "Authorization: Bearer $TOKEN" \
-H "content-type: application/json" \
-X PUT \
-d '{"identity":'"$CLIENT_PEM"'}' \
$SVIX_ROOT/api/v1/app/my-app/endpoint/my-endpoint/mtls
```

When `serverCaCert` is unset, the standard system CA certificates are used to verify the webhook receiver.

0 comments on commit 8432a91

Please sign in to comment.