client-certificate-authmTLS for Node.js

Express middleware, reverse proxy support, and authorization helpers for client certificate authentication

Direct TLS & Reverse Proxy

Works with socket-based mTLS and header-based cert extraction from AWS ALB, Envoy, Cloudflare, Traefik, nginx, HAProxy, and more.

Authorization Helpers

Pre-built validators for CN, fingerprint, issuer, OU, SAN, email, and serial — with allOf/anyOf combinators.

Framework Agnostic

Express middleware out of the box. Use extractClientCertificate() to build adapters for Koa, Fastify, Hapi, or any Node.js framework.

Battle-Tested

100% test coverage, mutation testing, and E2E tests against real proxy containers. Dual ESM/CJS with full TypeScript types.

What is this?

client-certificate-auth authenticates HTTP clients by their TLS client certificates (mutual TLS, or mTLS). Instead of a password, API key, or bearer token, the client presents an X.509 certificate during the TLS handshake, and the server checks that it was issued by a CA it trusts. The certificate is the credential.

Typical uses: service-to-service APIs where each caller holds its own certificate, machine and device authentication (CI runners, IoT fleets), restricting sensitive internal endpoints to known clients, and certificate-based user login in enterprise PKI environments.

The library extracts the verified certificate from the request wherever your TLS terminates (a Node.js https server, a reverse proxy or load balancer that forwards it in a header, an AWS Lambda event, or a Web-standard Request) and passes it to your authorization logic as a standard tls.PeerCertificate object. Start with the Getting Started guide.