Mutual TLS

All API methods (except for OAuth2 Meta Data and OAuth2 Authorization request) mandate the use of a registered X509 client certificate (all intermediate certificates in the chain should be included with the client certificate) during the TLS handshake.

Note that the client certificate needs to contain all intermediate certificates in the chain in order to be valid. If not included the API will reject the connection with statuscode 403 (forbidden).