Mutual TLS (mTLS) HTTP adapter for Tink.
Tink accepts mTLS as an alternative to client_id/client_secret for OAuth client authentication (RFC 8705 interoperability requirement).
Configuration
# In config/runtime.exs:
config :tink,
http_adapter: Tink.HTTP.MutualTLS,
mtls: [
cert_pem: System.get_env("TINK_CLIENT_CERT_PEM"),
key_pem: System.get_env("TINK_CLIENT_KEY_PEM"),
ca_pem: System.get_env("TINK_CA_PEM") # optional; Tink uses DigiCert/Amazon CAs
]Or point to files:
config :tink,
http_adapter: Tink.HTTP.MutualTLS,
mtls: [
cert_file: "/path/to/client.crt",
key_file: "/path/to/client.key"
]CA Certificate notes (from Tink docs)
Tink's API server certificate is issued by DigiCert. On 17 September 2026, DigiCert Global Root G2 (RSA SHA-256) will be replaced with Amazon Root CA 3 (EC_prime256v1). Update your certificate trust store before that date.
If using certificate pinning, ensure you trust:
- DigiCert Global Root G2 (current)
- Amazon Root CA 3 (from 17 Sep 2026)
TLS version
TLS 1.2 is currently required minimum. Tink will stop accepting TLS 1.2 on 31 December 2027 — ensure your application supports TLS 1.3 before then.
Summary
Functions
Start a named Finch pool for mTLS. Call this in your Application supervisor.
Build the Finch mTLS pool configuration from app config.
Functions
Start a named Finch pool for mTLS. Call this in your Application supervisor.
Returns a {Finch, opts} tuple suitable for a Supervisor/Application
children list — NOT the formal Supervisor.child_spec() map shape (i.e.
%{id: ..., start: {mod, fun, args}, ...}). Finch itself implements
child_spec/1 (via use Supervisor), so the children list entry
{Finch, opts} is expanded into the real child spec by the supervisor at
start time — this function just builds that entry, it doesn't build the
expanded spec itself.
Build the Finch mTLS pool configuration from app config.