Are you using an API gateway to ensure solid security for your APIs? Or a microservices API gateway to do the same for your backend services? If so, you need to know about securing your API gateway with Transport Layer Security (TLS). Read on for answers to all your burning API gateway TLS questions!
What is API gateway TLS?
Before we look at API gateway TLS, let’s take a step back and look at what TLS is.
TLS is a cryptographic protocol that is the successor to the deprecated Secure Sockets Layer (SSL) protocol. Developed by the Internet Engineering Task Force (IETF), it uses data encryption to provide security for the connections between different elements of computer networks, such as web servers and web applications. A TLS listener handles incoming connections that use TLS. When the different network elements exchange data, the TLS protocol keeps that data safe and secure.
In the context of an API gateway, TLS can secure downstream communications between clients and the gateway. It can also secure upstream communications between the gateway, the APIs, and the backend services behind it. It does so using encryption, so the data is unreadable to anyone who does not have the proper decryption keys.
TLS uses an authentication handshake mechanism so that both clients and servers authenticate each other. Securing your API gateway with TLS provides a solid foundation for data integrity. These checks confirm that your API data has not been modified during transmission, a critical aspect of API security.
To secure an API gateway with TLS you need to:
- Obtain a TLS certificate (public CA or private CA)
- Install the certificate and private key on the gateway server
- Enable HTTPS listener with TLS 1.2 or TLS 1.3
- Configure secure cipher suites (TLS 1.2 only)
- Enforce strong certificate validation
- Enable mutual TLS (mTLS) if client authentication is required
- Disable insecure protocols (SSL, TLS 1.0, TLS 1.1)
- Monitor certificate expiration and automate renewal
- Test configuration using tools like OpenSSL or SSL Labs
TLS termination vs end-to-end encryption
It’s important to understand the difference between TLS termination and end-to-end encryption.
- TLS termination inspects traffic by decrypting it at an intermediary before re-encrypting it. This is great for optimizing performance but does introduce a point of vulnerability (for more on security vulnerabilities, check out the OWASP API Security Top 10).
- End-to-end encryption means the data remains encrypted all the way from the sender to the recipient. This provides maximum security, ensuring only the recipient can decrypt the data.
Certificate pinning
When detailing how to secure your API gateway with TLS, we mentioned the TLS certificate. The certificate ensures that communication is secure by leveraging the SSL/TLS mechanism to verify the server’s identity when the client initiates the connection. Certificate pinning makes this more secure by requiring that the presented certificate matches the pinned version. Only if this is verified can the connection proceed.
Multi-region TLS considerations
You can implement TLS across multiple regions. Doing so means thinking carefully about the orchestration required to achieve the security and performance standards you need, along with regulatory compliance. You’ll need to consider:
- Certificate management and distribution: You’ll need to use a consistent set of trusted Certificate Authorities across every region if you’re going to avoid trust validation failures. You’ll also need to use regional truststores to optimize both resilience and performance. These are a foundational part of zero trust frameworks. You can find more here on NIST zero trust architecture guidance.
- Certificate deployment: Deploy and renew TLS certificates for custom domains simultaneously across all API gateways.
- Security and cryptography: Consider multi-region key management to simplify cross-region data access and use consistent TLS versions – such as RRC 8446 (TLS1.3) – to prevent security drift. You’ll also need to ensure you comply with data sovereignty laws in all regions (examples include GDPR and HIPAA) when using TLS encryption for your traffic.
- Performance and latency: You can improve performance by minimizing TLS handshake latency. Do this by routing user traffic to the closest healthy region via DNS-based routing. You can further reduce latency by terminating TLS at the edge.
- Automation: Cut out scope for human error with an infrastructure as code (IaC) approach. You can use IaC tools to manage, deploy, and update your multi-region TLS configurations.
- Monitoring and logging: Track certificate expiration dates proactively through centralized monitoring. You can also use monitoring and logging to look out for any anomalies in TLS traffic.
- Architecture: Consider whether an active-active approach or an active-passive approach would suit your needs best. Active-passive is the less complex of the two, but active-active is likely better if you’re looking for consistent security and seamless failover.
Benefits of using TLS for API gateway
We’ll dive into the details of API gateway certificate creation in a moment, but first, let’s consider the benefits of using API gateway TLS.
The data encryption that TLS provides is a clear win in terms of confidentiality. Let’s consider the banking sector. According to Akamai’s State of Apps and AI Security 2025 report, there were 311 billion web app and API attacks globally in 2024. That’s a 33% increase compared to 2023. In total between January 2023 and December 2024, there were 150 billion API-targeted attacks, highlighting what a prime target APIs now are for attackers.
Securing your API gateway with TLS is vital for protecting data in transit. Ensuring data confidentiality, so it can’t be read even if intercepted, is a key priority when securing your APIs, thus guarding against eavesdropping attacks.
Data encryption achieved through TLS can also help organizations comply with legal and regulatory compliance requirements – another plus point for securing your API gateway with TLS.
Data integrity is a further benefit of TLS API security, as the recipient can be sure that data hasn’t been tampered with while in transit. Mutual TLS (mTLS) authentication adds to the peace of mind, as authenticating both parties helps prevent man-in-the-middle (MITM) attacks.
There is an element of future-proofing that comes with using API gateway TLS as well. Security threats continue to evolve, but as TLS is updated and improved regularly, you can stay one step ahead as new threats emerge by using the latest TLS version.
Creating certificates for API gateway TLS
Key to the successful working of TLS is the API gateway client certificate. Certificates are a fundamental part of how mTLS authentication works, with both parties’ TLS certificates providing information required for successful verification.
With API gateway mutual TLS in place, the handshake element of the process can proceed smoothly. It enables clients to ensure they are connecting to the legitimate gateway, building trust in the process. Indeed, API gateway mTLS is often used in zero-trust environments – something that many organisations focus on as part of their API security strategy.
You can create a list of trusted certificates as part of your API gateway mTLS setup. Using the example of Tyk API Gateway, you can set up TLS and mTLS connections, with all TLS connections also supporting HTTP/2. Tyk also supports Let’s Encrypt if you need to use a public certificate authority. You can use certificate pinning to allow only specified public keys to generate certificates. This means you will be protected in case an upstream certificate is compromised. You can define upstream certificates on the API definition level or use the gateway configuration file to do so globally.
With Tyk, you also have a range of options for managing self-signed certificates, with best practice dictating that you store certificates locally in the standard certificate store.
Speaking more generally, if you need to create a certificate for API gateway TLS, decide whether to use a public certificate authority or set up your private certificate authority. The latter gives you greater control (but also requires a greater degree of management). Next, generate a certificate signing request on the server hosting your API gateway. The request includes the public key that the certificate will include.
Securing your API gateway with TLS often involves obtaining a certificate. If you’re using a public Certificate Authority (CA), you’ll need to submit your Certificate Signing Request (CSR) to them and follow their instructions to validate your request for your API gateway. If you’re using a private CA, it will handle the signing of the certificate using a private key, providing solid security for your APIs.
You can now install the TLS certificate on your API gateway server.
Configuring API gateway for TLS
Installing an API gateway TLS certificate means you’ll need to add the certificate and private key files to your server’s configuration and then update the gateway’s configuration. This involves specifying the certificate and private key files and configuring the TLS settings. This is where you can specify things like TLS version, protocols and ciphersuites. Note that TLS 1.3 (the latest TLS version at the time of writing) doesn’t support cipher selection.
If you’re using microservices, you’ll need to manage your Kubernetes TLS certificates. With a TLS Kubernetes setup, you can do this by configuring the kubectl command-line tool to communicate with your cluster and then using the certificates.k8s.io API. This allows you to provision signed TLS certificates to establish trust.
TLS security best practices for API gateways
For robust TLS security, bear in mind the following best practices in relation to your API gateways:
- Disable SSL and TLS 1.0/1.1 – these are cryptographically broken and no longer secure, making you vulnerable to modern attacks.
- Use TLS 1.3 wherever supported to ensure your security is up to date.
- Enforce strong cipher suites if using TLS 1.2 (TLS 1.3 doesn’t support cipher selection).
- Use HTTP Strict Transport Security (HSTS) headers. These tell browsers to only ever connect using HTTPS, never HTTP. This prevents protocol downgrade attacks, protects against MITM attacks, and eliminates “mixed first request” risk. Using HSTS headers is a key OWASP recommendation.
- Enable OCSP stapling, where the web server fetches a signed certificate revocation status from the CA and “staples” it to the TLS handshake. This means the browser doesn’t have to contact the CA directly, improving privacy and performance while ensuring real-time certificate validity checking.
- Rotate certificates automatically.
- Monitor for certificate expiration, using a tool such as Tyk Dashboard’s proactive certificate lifecycle management.
- Use short-lived certificates in zero trust environments.
- Restrict renegotiation to prevent abuse of the TLS handshake process. Otherwise, attackers can exploit it for denial of service or resource exhaustion attacks against your API gateway.
What is mutual TLS (mTLS) in API gateways?
Mutual TLS is a TLS authentication method where the client and the API gateway present and validate each other’s certificates during the handshake. It differs from standard TLS, which uses server-only authentication. Before any request is processed, mTLS ensures the client’s identity has been cryptographically verified.
When used in API gateways, this provides strong service-to-service or client-to-service authentication without the need to rely solely on API keys or tokens. This strict identity-based access control is common in both zero trust and microservices architectures.
What version of TLS do API gateways use?
As mentioned above, the latest TLS version is 1.3, which the Internet Engineering Task Force published in August 2018. TLS 1.3 replaced TLS 1.2, bringing new features and improvements, such as speeding up TLS handshakes and dropping support for older cryptographic features no longer considered secure.
How do I enable TLS for API gateway?
It’s not difficult to enable TLS for your API gateway; you just need to be methodical. Our blog post on transport layer security and Tyk walks you through the whole process, from generating a self-signed certificate to launching a Tyk Gateway instance and protecting your data with TLS. If you’re looking for a step-by-step guide to enabling API gateway TLS, that’s where to start.
Of course, the Tyk team is also happy to help with any gateway TLS questions, so feel free to get in touch.
