Skip to content

Security

Built-in TLS and mTLS for secure gRPC/ConnectRPC communication over HTTP/2.

Quick Start

typescript
import { createServer } from '@connectum/core';
import routes from '#gen/routes.js';

const server = createServer({
  services: [routes],
  port: 5000,
  tls: {
    dirPath: './keys',  // Looks for server.key + server.crt
  },
});

await server.start();

When TLS is configured, Connectum creates an HTTP/2 secure server (http2.createSecureServer) with ALPN negotiation. Without TLS, the default server is plaintext HTTP/1.1 (http.createServer, since allowHTTP1 defaults to true); set allowHTTP1: false to get a plaintext HTTP/2 (h2c) server instead. See the transport matrix for which RPC types each transport supports.

Key Concepts

ConceptDescription
TLS OptionskeyPath + certPath for explicit paths, or dirPath for directory-based config
Environment VariablesTLS_DIR_PATH, TLS_KEY_PATH, TLS_CERT_PATH for deployment flexibility
mTLSMutual TLS via http2Options: requestCert, rejectUnauthorized, ca
TransportsWithout TLS: HTTP/1.1 by default, h2c with allowHTTP1: false; with TLS: ALPN (HTTP/2 + HTTP/1.1). See the transport matrix
Utility FunctionsreadTLSCertificates(), getTLSPath() from @connectum/core

Learn More