From 8c751b25762936a5f8d221a0b1528891b2c9f7e7 Mon Sep 17 00:00:00 2001 From: Danish Mujtaba Qureshi Date: Thu, 5 Feb 2026 19:49:57 +0000 Subject: [PATCH 1/3] Add Mutual TLS (mTLS) authentication section --- .../privacy-proxy/concepts/authentication.mdx | 23 +++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/src/content/docs/privacy-proxy/concepts/authentication.mdx b/src/content/docs/privacy-proxy/concepts/authentication.mdx index 1a15b12e024670d..b5e93dcf3807924 100644 --- a/src/content/docs/privacy-proxy/concepts/authentication.mdx +++ b/src/content/docs/privacy-proxy/concepts/authentication.mdx @@ -9,12 +9,13 @@ Privacy Proxy requires clients to authenticate before proxying traffic. This pag ## Authentication methods -Privacy Proxy supports two authentication methods: +Privacy Proxy supports three authentication methods: | Method | Use case | Privacy level | | -------- | ---------- | --------------- | | Pre-shared key (PSK) | Proof of concept, testing | Lower | -| Privacy Pass tokens | Production deployments | Higher | +| Privacy Pass tokens | Client to server | Higher | +| mTLS | Server to server | Higher | --- @@ -134,6 +135,24 @@ For production deployments using Privacy Pass: --- +## Mutual TLS (mTLS) + +[Mutual TLS (mTLS) authentication](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) ensures that traffic is both secure and trusted in both directions. The client presents a certificate to the proxy, and the proxy validates it before allowing the connection. + +### How it works + +The client includes a TLS client certificate during the TLS handshake. The proxy validates the certificate against a configured certificate authority (CA) and allows the connection if the certificate is trusted. + +### Limitations + +- **Certificate management**: You must provision and manage certificates for each client or service. +- **Not suitable for end users**: mTLS is designed for server-to-server communication, not for authenticating individual users. +- **No unlinkability**: The proxy can identify the client by its certificate, which reduces privacy compared to Privacy Pass. + +Use mTLS for server-to-server integrations where both parties are trusted services. + +--- + ## Authentication in double-hop deployments In [double-hop deployments](/privacy-proxy/concepts/deployment-models/#double-hop), authentication occurs at two levels: From d5f844de5e09a4682edb45efd656df7fab020b71 Mon Sep 17 00:00:00 2001 From: Danish Mujtaba Qureshi Date: Thu, 5 Feb 2026 20:00:04 +0000 Subject: [PATCH 2/3] Change Privacy Pass tokens privacy level to High --- src/content/docs/privacy-proxy/concepts/authentication.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/privacy-proxy/concepts/authentication.mdx b/src/content/docs/privacy-proxy/concepts/authentication.mdx index b5e93dcf3807924..cea2f6f58200c24 100644 --- a/src/content/docs/privacy-proxy/concepts/authentication.mdx +++ b/src/content/docs/privacy-proxy/concepts/authentication.mdx @@ -14,7 +14,7 @@ Privacy Proxy supports three authentication methods: | Method | Use case | Privacy level | | -------- | ---------- | --------------- | | Pre-shared key (PSK) | Proof of concept, testing | Lower | -| Privacy Pass tokens | Client to server | Higher | +| Privacy Pass tokens | Client to server | High | | mTLS | Server to server | Higher | --- From 9c321b7d522a79cc684d24fd706c938514e846a2 Mon Sep 17 00:00:00 2001 From: Danish Mujtaba Qureshi <165572343+danish-m-qureshi@users.noreply.github.com> Date: Fri, 6 Feb 2026 22:03:05 +0000 Subject: [PATCH 3/3] Update src/content/docs/privacy-proxy/concepts/authentication.mdx Co-authored-by: Patricia Santa Ana <103445940+patriciasantaana@users.noreply.github.com> --- src/content/docs/privacy-proxy/concepts/authentication.mdx | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/content/docs/privacy-proxy/concepts/authentication.mdx b/src/content/docs/privacy-proxy/concepts/authentication.mdx index cea2f6f58200c24..e67520dbcb8b637 100644 --- a/src/content/docs/privacy-proxy/concepts/authentication.mdx +++ b/src/content/docs/privacy-proxy/concepts/authentication.mdx @@ -145,9 +145,7 @@ The client includes a TLS client certificate during the TLS handshake. The proxy ### Limitations -- **Certificate management**: You must provision and manage certificates for each client or service. -- **Not suitable for end users**: mTLS is designed for server-to-server communication, not for authenticating individual users. -- **No unlinkability**: The proxy can identify the client by its certificate, which reduces privacy compared to Privacy Pass. +You must provision and manage certificates for each client or service. mTLS is designed for server-to-server communication, not for authenticating individual users. The proxy can identify the client by its certificate, which reduces privacy compared to Privacy Pass. Use mTLS for server-to-server integrations where both parties are trusted services.