Certificate-backed runtime authentication

rstream now supports certificate-backed authentication for agent connections and published tunnel traffic. Machines, devices, services, and external clients can now identify with a private key instead of carrying a bearer token.

The new mTLS Client Certificate (MTLS) credential stores the SHA-256 fingerprint of a client certificate and carries the Engine API permissions and Tunnel access rules for that certificate. The same credential can authorize an agent on the engine control channel, or a client reaching a published tunnel when mtls_auth is enabled. The private key stays outside rstream with the runtime that owns the identity, while admission remains managed from the same credential inventory as PATs and application credentials.

mTLS operates at the transport layer, so it is not limited to HTTP. For published tunnels, the same certificate-backed identity model can protect TLS, DTLS, and QUIC traffic regardless of the application protocol above it, including protocols such as gRPC or MQTT. Token authentication remains useful for HTTP clients; mTLS covers a broader set of runtimes and protocols.

The CLI and SDK configuration now expose mTLS as an alternative to token authentication for agent connections. A context may use token auth or mTLS auth for the engine control channel, but not both at once. The Engine HTTP API remains token-authenticated. Published tunnels may enable several authentication methods for different clients, but a single request must not present multiple proofs at the same time.

This requires rstream CLI and Go SDK 1.15.0 or later, and C++ SDK 1.7.0 or later.

For setup details, see mTLS, Configuration File, and Environment Variables.