mTLS Authentication in JFrog Cloud

JFrog Hosting Models Documentation

Content Type
User Guide

Mutual Transport Layer Security (mTLS) authentication or two-way authentication refers to two parties authenticating each other at the same time in an authentication protocol. This type of authentication, which is an optional feature for TLS, means that the client also authenticates itself against the server with a client-side certificate, thus providing enhanced security.

What does mTLS do?

The mTLS capability enables clients who are communicating with a JFrog Cloud instance to utilize mutual TLS (mTLS), which works in the following mTLS modes. Note that this applies only to the JFrog Platform and not to MyJFrog.

  • Optional Verification: Clients can either use mTLS or not (both types of requests will be accepted by the server). In this case mTLS is not strictly enforced, which can be relevant in a transition phase.

  • Enforced: Clients must use mTLS to communicate with the server. This includes both client requests sent via API, as well as accessing the JFrog Platform UI via a browser. Using this mode requires an initial setup on the client side (browser, clients), to configure the mTLS client certificate. Setting up the client certificate should be done based on the specific tool's user guide.


The mTLS client certificate (CA) is an added condition and does not replace the need to perform authentication (e.g., via credentials, access token, etc.).

As a best practice, we recommend starting with the optional mode and then move to the enforced mode.