Skip to content

Commit

Permalink
mTLS (#104)
Browse files Browse the repository at this point in the history
  • Loading branch information
@jesushernandez
jesushernandez authored Oct 10, 2024
1 parent 7c34b79 commit 962258a
Show file tree
Hide file tree
Showing 3 changed files with 41 additions and 1 deletion.
4 changes: 4 additions & 0 deletions api-reference/customer-cards/protocol.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,10 @@ Errors are classified into two categories:
1. **Retriable errors**: these are transient issues where retrying once is appropriate
2. **Integration errors**: these are typically programming or configuration errors. These errors won't be retried and cached for 5 minutes.

## Security

Plain supports [request signing](/api-reference/request-signing) and [mTLS](/api-reference/mtls) to verify that the request was made by Plain and not a third party.

### Retriable errors

The following errors are **retried once** after a **1-second delay**:
Expand Down
36 changes: 36 additions & 0 deletions api-reference/mtls.mdx
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
title: 'mTLS'
---

All outbound requests made to your **webhook targets** and **customer card endpoints** include a client TLS certificate which you can verify to achieve mutual authentication.

This certificate is self-signed. In order to verify it, we provide our CA's certificate (in PEM format), which you will need to add to your server/truststore:

```
-----BEGIN CERTIFICATE-----
MIIDDzCCAfegAwIBAgIUYpBaPwE3ax76Ly63jq88l3JYdQkwDQYJKoZIhvcNAQEL
BQAwFjEUMBIGA1UEAwwLUGxhaW5NdGxzQ0EwIBcNMjQxMDA5MTEzMzIwWhgPMjEy
NDA5MTUxMTMzMjBaMBYxFDASBgNVBAMMC1BsYWluTXRsc0NBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAoyDRzyrtm9AqMo8MgFYkPrpme6qi5bJDF/1r
hd2Xs0xVucqTz7SMsVACxfpHvamWg/d5n2655tCQV0QWEot/DRjWJx+rxf1NQLkJ
TK13c9o6ED62hzhm1MLyLFx11BorZKk6+CwNTp0hHdAQlASapFpQFwjtHtnRNUCr
VjQiB79Qwx/0sw3vkhEmWuqy9ot7k6/31hexHkqAe4IRcBE7nmQhA2/BNfZdM6so
z6cX4XEmPks+GEgP0K0362wRuugdn31lFuOXW7o3g0H0hsk2vEu5VonfvfVs71H5
7Ih7ngJADKF/Zhza6xvEU88dpxvbXBnB2rIdeIjQ/Iei9KR8gwIDAQABo1MwUTAd
BgNVHQ4EFgQUI2yEkljVdGcvHaKo7UTYVENZs7wwHwYDVR0jBBgwFoAUI2yEkljV
dGcvHaKo7UTYVENZs7wwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOC
AQEAFPx/Fd9SOpGuaaZjc8EBmLfo6RJ8EjPImjw+ifsgVtMgTAIPre70Xg7CNozg
QXL0S31bkMRpEnCTTaVfo3B8SXMcFGT9wz7JQmlp2h3TM962LcRFWZQS7mc1b9TI
ko1e6wHtxquQ4HUZcuH267eGu8WuK1USe+YwpwoCdVg/lqHIHLQeX1HUWhs7y8mL
1UQ2Vo/1CJINaMckCZgu8BDOB6Bfz98l7MttfHY+pRwMQ6Dfz2+V8zhd3BHnQIUo
IMJXXsQcVPqqw2OHSpOdeaHcLvitd5Jbznfi4SVMP3CW3HcJIQquLaafzMjgPOIK
Nu6k8VchASKnnXyziDRnQvBwAw==
-----END CERTIFICATE-----
```

<Info>
If you serve your API through AWS API Gateway, you can easily do this by [enabling mTLS and
uploading the
certificate](https://docs.aws.amazon.com/apigateway/latest/developerguide/rest-api-mutual-tls.html)
above as the truststore.
</Info>
2 changes: 1 addition & 1 deletion api-reference/webhooks.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ If you want, you can include basic authentication credentials in your webhook ta
Authorization: Basic cGxhaW46cm9ja3M=
```

Plain also supports [request signing](/api-reference/request-signing) to verify that the request was made by Plain and not a third party.
Plain also supports [request signing](/api-reference/request-signing) and [mTLS](/api-reference/mtls) to verify that the request was made by Plain and not a third party.

## Delivery semantics

Expand Down

0 comments on commit 962258a

Please sign in to comment.