Client TLS authentication

This documentation is for the Envoy v3 API.

As of Envoy v1.18 the v2 API has been removed and is no longer supported.

If you are upgrading from v2 API config you may wish to view the v2 API documentation:

This extension may be referenced by the qualified name


This extension is intended to be robust against untrusted downstream traffic. It assumes that the upstream is trusted.


This extension extends and can be used with the following extension category:

Client TLS authentication configuration overview.

[ proto]

  "auth_api_cluster": "...",
  "stat_prefix": "...",
  "refresh_delay": "{...}",
  "ip_white_list": []

(string, REQUIRED) The cluster manager cluster that runs the authentication service. The filter will connect to the service every 60s to fetch the list of principals. The service must support the expected REST API.


(string, REQUIRED) The prefix to use when emitting statistics.


(Duration) Time in milliseconds between principal refreshes from the authentication service. Default is 60000 (60s). The actual fetch time will be this value plus a random jittered value between 0-refresh_delay_ms milliseconds.


(repeated config.core.v3.CidrRange) An optional list of IP address and subnet masks that should be white listed for access by the filter. If no list is provided, there is no IP allowlist.