Add mTLS authentication support #6
Description
Summary
Add mutual TLS (mTLS) authentication as an alternative to bearer token auth, similar to how Temporal handles authentication.
Motivation
- Stronger cryptographic identity vs shared secret
- No token to leak/rotate
- Connection rejected at TLS handshake before application code runs
Implementation Notes
- Certificates will need to be passed via environment variables (base64 encoded)
- Generate self-signed CA + server/client certs
- Add script to generate cert chain
- Make it configurable alongside or instead of bearer token auth
Tasks
- Create cert generation script
- Add mTLS configuration to API server
- Support certs via environment variables (base64 encoded PEM)
- Update documentation
- Add example client configuration