---
title: Setting and Unsetting Mutual TLS on TLS Activations
summary: >-
  Mutual TLS can be added to existing TLS activations to allow for
  client-to-server authentication. In order to use mutual TLS, you must already
  have active server-side TLS using either <a
  href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/activations/">custom
  certificates</a> or an enabled Fastly-managed <a
  href="https://www.fastly.com/documentation/reference/api/tls/subs/">subscription</a>.
url: https://www.fastly.com/documentation/reference/api/tls/mutual-tls/activations
---

Mutual TLS can be added to existing TLS activations to allow for client-to-server authentication. In order to use mutual TLS, you must already have active server-side TLS using either <a href="https://www.fastly.com/documentation/reference/api/tls/custom-certs/activations/">custom certificates</a> or an enabled Fastly-managed <a href="https://www.fastly.com/documentation/reference/api/tls/subs/">subscription</a>.

## Data model

| Field | Type | Description |
|-------|------|-------------|
| `relationships.mutual_authentication.id` | string | Alphanumeric string identifying a mutual authentication. |
| `relationships.tls_certificate.id` | string | Alphanumeric string identifying a TLS certificate. |
| `relationships.tls_configuration.id` | string | Alphanumeric string identifying a TLS configuration. |
| `relationships.tls_domain.id` | string | The domain name. |
| `type` | string | Resource type. |
| `created_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `deleted_at` | string | Date and time in ISO 8601 format. (Read-only) |
| `id` | string | Alphanumeric string identifying a TLS activation. (Read-only) |
| `updated_at` | string | Date and time in ISO 8601 format. (Read-only) |

## API endpoints

### List TLS activations

**GET** `/tls/activations`

List all TLS activations.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `filter[mutual_authentication.id]` | string | query | No | Limit the returned rules to a specific mutual authentication ID (or null ID). |
| `filter[tls_certificate.id]` | string | query | No | Limit the returned activations to a specific certificate. |
| `filter[tls_configuration.id]` | string | query | No | Limit the returned activations to a specific TLS configuration. |
| `filter[tls_domain.id]` | string | query | No | Limit the returned rules to a specific domain name. |
| `include` | string | query | No | Include related objects. Optional, comma-separated values. Permitted values: <code>tls_certificate</code>, <code>tls_configuration</code>, and <code>tls_domain</code>. |
| `page[number]` | integer | query | No | Current page. |
| `page[size]` | integer | query | No | Number of records per page. |

### Get a TLS activation

**GET** `/tls/activations/{tls_activation_id}`

Show a TLS activation.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `include` | string | query | No | Include related objects. Optional, comma-separated values. Permitted values: <code>tls_certificate</code>, <code>tls_configuration</code>, and <code>tls_domain</code>. |
| `tls_activation_id` | string | path | Yes | Alphanumeric string identifying a TLS activation. |

### Update Mutual TLS

**PATCH** `/tls/activations/{tls_activation_id}`

Update the mutual authentication for the domain associated with this TLS activation. You may either 1) pass a valid mutual authentication ID to activate Mutual TLS, or 2) pass null as the ID to deactivate from Mutual TLS.

**Parameters:**

| Name | Type | In | Required | Description |
|------|------|----|---------|--------------|
| `tls_activation_id` | string | path | Yes | Alphanumeric string identifying a TLS activation. |