Authenticate with client certificate
APPLIES TO: All API Management tiers
Use the authentication-certificate policy to authenticate with a backend service using a client certificate. When the certificate is installed into API Management first, identify it first by its thumbprint or certificate ID (resourcename).
Caution
Minimize risks of credential exposure when configuring this policy. Microsoft recommends that you use more secure authentication methods if supported by your backend, such as managed identity authentication or credential manager. If you configure sensitive information in policy definitions, we recommend using named values and storing secrets in Azure Key Vault.
Caution
If the certificate references a certificate stored in Azure Key Vault, identify it using the certificate ID. When a key vault certificate is rotated, its thumbprint in API Management will change, and the policy will not resolve the new certificate if it is identified by thumbprint.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<authentication-certificate thumbprint="thumbprint" certificate-id="resource name" body="certificate byte array" password="optional password"/>
Attributes
| Attribute | Description | Required | Default |
|---|---|---|---|
| thumbprint | The thumbprint for the client certificate. Policy expressions are allowed. | Either thumbprint or certificate-id can be present. |
N/A |
| certificate-id | The certificate resource name. Policy expressions are allowed. | Either thumbprint or certificate-id can be present. |
N/A |
| body | Client certificate as a byte array. Use if the certificate isn't retrieved from the built-in certificate store. Policy expressions are allowed. | No | N/A |
| password | Password for the client certificate. Policy expressions are allowed. | Use if certificate specified in body is password protected. |
N/A |
Usage
- Policy sections: inbound
- Policy scopes: global, workspace, product, API, operation
- Gateways: classic, v2, consumption, self-hosted, workspace
Usage notes
- We recommend configuring key vault certificates to manage certificates used to secure access to backend services.
- If you configure a certificate password in this policy, we recommend using a named value.
Examples
Client certificate identified by the certificate ID
<authentication-certificate certificate-id="544fe9ddf3b8f30fb490d90f" />
Client certificate identified by thumbprint
<authentication-certificate thumbprint="CA06F56B258B7A0D4F2B05470939478651151984" />
Client certificate set in the policy rather than retrieved from the built-in certificate store
<authentication-certificate body="@(context.Variables.GetValueOrDefault<byte[]>("byteCertificate"))" password="optional-certificate-password" />
Related policies
Related content
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy snippets repo
- Author policies using Microsoft Copilot in Azure