Skip to content

[FEATURE]: Add first-class mTLS client certificate support for HTTPS/MCP/provider connections #14696

@cruzanstx

Description

@cruzanstx
  • I have verified this feature I'm about to request hasn't been suggested before.

Summary

OpenCode should support first-class mutual TLS (mTLS) for outbound HTTPS connections, including provider API calls and remote MCP servers that require client certificate authentication.

Today, users can set custom CA trust (NODE_EXTRA_CA_CERTS), but there is no clear first-class config path for client cert + key (and optional CA) across relevant network surfaces.

Why this matters

Many enterprise environments require mTLS for:

  • outbound API access through secure gateways
  • internal MCP endpoints
  • zero-trust service-to-service access

Without mTLS support, OpenCode is difficult to use in regulated/corporate environments.

Proposed config

Add explicit config options (names are examples):

{
  "network": {
    "mtls": {
      "cert": "/path/client-cert.pem",
      "key": "/path/client-key.pem",
      "ca": "/path/ca.pem",
      "passphrase": "{env:MTLS_KEY_PASSPHRASE}"
    }
  }
}

And/or allow per-target overrides, e.g. per provider or per MCP server.

Expected behavior

  • OpenCode can establish HTTPS connections that require client cert authentication.
  • mTLS config is supported in:
    • provider requests
    • remote MCP HTTP/SSE transport
    • other outbound HTTPS flows used by OpenCode
  • Failure messages are actionable (missing cert/key, invalid format, handshake failure, etc.).
  • Paths and secrets are not logged in plaintext.

Acceptance criteria

  • Documented config schema for mTLS cert/key/ca
  • Works for at least provider and remote MCP connections
  • Works with PEM cert+key files
  • Clear troubleshooting docs for TLS handshake failures
  • Tests covering success and common failure cases

Metadata

Metadata

Assignees

Labels

coreAnything pertaining to core functionality of the application (opencode server stuff)

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions