> For clean Markdown of any page, append .md to the page URL.
> For a complete documentation index, see https://help.sigmacomputing.com/llms.txt.
> For AI client integration (Claude Code, Cursor, etc.), connect to the MCP server at https://help.sigmacomputing.com/_mcp/server.

# Configure mutual transport layer security (mTLS) for API connectors in Sigma

> Configure mTLS for Sigma API connectors with client and server certificates for mutual authentication.

You can configure mutual transport layer security (mTLS) for [API connectors](/docs/configure-api-credentials-and-connectors-in-sigma) in Sigma. By adding client and server certificates to Sigma, you can enhance data security with <a href="https://en.wikipedia.org/wiki/Mutual_authentication" target="_blank">mutual authentication</a> when making requests to external services. If an endpoint or platform requires mutual authentication to make requests, you can configure a certificate in Sigma to meet that requirement.

## System and user requirements

To add a client certificate to Sigma:

* You must be assigned an [account type](/docs/account-type-and-license-overview) with the **Manage API connectors** permission enabled.
* You must be able to provide a paired client certificate and client key for the platform that requires mutual authentication. To generate a certificate and key, refer to the documentation for the platform you want to authenticate with.

## Add a client certificate to Sigma

Add a new certificate to Sigma for use with API connectors.

1. Go to **Administration** > **API connectors**:
   1. From the Sigma header, select your user avatar to open the user menu.
   2. Select **Administration** to open the **Administration** portal.
   3. From the side panel, select **API connectors**.

2. Select the **Certificates** tab.

3. Select **Create certificate**.

4. On the **New certificate** screen, configure the following fields in the **Certificate details** section:

   | Field                  | Description                                                                                                                                                                                                                 |
   | ---------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Name**               | The name of the client certificate as it appears when selected for a connector.                                                                                                                                             |
   | **Description**        | (Optional) A description that helps users identify the client certificate when creating an API connector.                                                                                                                   |
   | **Authorized domains** | A set of authorized domains used to restrict access to the client certificate. The client certificate can only be used for endpoints that match the authorized domains. Use \* as a wildcard - for example `*.example.com`. |

5. In the **Certificate and key** section, add or configure the following:

   | Field                  | Description                                                                                                                                                                                                                                                                            |
   | ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
   | **Client certificate** | The public certificate, encoded in privacy-enhanced mail (PEM) format. Used to identify the client from Sigma when making a request to the server. You can either select **Upload** to add a **.pem**, **.crt**, or **.cer** file, or enter the certificate in the provided text area. |
   | **Client key**         | The private key paired with the client certificate. Used by Sigma to prove ownership of the client certificate when making a request to the server. You can either select **Upload** to upload a **.pem** or **.key** file or enter the key in the provided text area.                 |
   | **Passphrase**         | (Optional) The passphrase used to decrypt an encrypted key. If you use an encrypted key format, such as PKCS #8 encrypted, enter the associated passphrase. Leave blank if the key is not encrypted.                                                                                   |
   | **CA certificate**     | (Optional) The certificate used to verify the server's identity. You can either select **Upload** to add a **.pem**, **.crt**, or **.cer** file, or enter the certificate in the provided text area.                                                                                   |

6. Select **Save**.

The certificate is available when configuring [API connectors](/docs/configure-api-credentials-and-connectors-in-sigma) in Sigma.