Tink.HTTP.MutualTLS (Tink v1.0.0)

Copy Markdown View Source

Mutual TLS (mTLS) HTTP adapter for Tink.

Tink accepts mTLS as an alternative to client_id/client_secret for OAuth client authentication (RFC 8705 interoperability requirement).

Configuration

# In config/runtime.exs:
config :tink,
  http_adapter: Tink.HTTP.MutualTLS,
  mtls: [
    cert_pem:  System.get_env("TINK_CLIENT_CERT_PEM"),
    key_pem:   System.get_env("TINK_CLIENT_KEY_PEM"),
    ca_pem:    System.get_env("TINK_CA_PEM")   # optional; Tink uses DigiCert/Amazon CAs
  ]

Or point to files:

config :tink,
  http_adapter: Tink.HTTP.MutualTLS,
  mtls: [
    cert_file: "/path/to/client.crt",
    key_file:  "/path/to/client.key"
  ]

CA Certificate notes (from Tink docs)

Tink's API server certificate is issued by DigiCert. On 17 September 2026, DigiCert Global Root G2 (RSA SHA-256) will be replaced with Amazon Root CA 3 (EC_prime256v1). Update your certificate trust store before that date.

If using certificate pinning, ensure you trust:

  • DigiCert Global Root G2 (current)
  • Amazon Root CA 3 (from 17 Sep 2026)

TLS version

TLS 1.2 is currently required minimum. Tink will stop accepting TLS 1.2 on 31 December 2027 — ensure your application supports TLS 1.3 before then.

Summary

Functions

Start a named Finch pool for mTLS. Call this in your Application supervisor.

Build the Finch mTLS pool configuration from app config.

Functions

child_spec()

@spec child_spec() :: {module(), keyword()}

Start a named Finch pool for mTLS. Call this in your Application supervisor.

Returns a {Finch, opts} tuple suitable for a Supervisor/Application children list — NOT the formal Supervisor.child_spec() map shape (i.e. %{id: ..., start: {mod, fun, args}, ...}). Finch itself implements child_spec/1 (via use Supervisor), so the children list entry {Finch, opts} is expanded into the real child spec by the supervisor at start time — this function just builds that entry, it doesn't build the expanded spec itself.

finch_pools()

@spec finch_pools() :: %{required(String.t()) => keyword()}

Build the Finch mTLS pool configuration from app config.