Mutual Transport Layer Security (mTLS) is an enhanced communication security mechanism that adds extra layers of protection to make it more difficult for attackers to misuse leaked credentials. It ensures that both the client and server authenticate each other, making the communication more secure.

Klarna requires acquiring partners to implement mTLS to ensure the security of Partner integrations. For all other account types, it may be enabled manually by Klarna on request.

• Create and store your private key using elliptic curve cryptography with the prime256v1 specification.
  • Example: creation command for certificate key

openssl ecparam -genkey -name prime256v1 -out my-key-file.pem

• Create a Certificate Signing Request (CSR)
  • The Common Name (CN) in the CSR should be the last part of your account ID.
  • For example, if your account ID is krn:partner:global:account:live:LYABCDEI, the CN should be LYABCDEI.
  • Example: creating a Certificate Signing Request (CSR)

openssl req -new -key my-key-file.pem -out csr.pem -subj "/CN=LYABCDEI"

• With the Certificate Signing Request (CSR) previously generated, create a certificate using the createCredentialsClientCertificateAPIAPI endpoint and the certificate will be returned in the API-response. Now your account is in an mTLS enabled state, but not enforced. This is done so that the status of the mTLS configuration can be verified safely before enforcing access.
• Store the generated certificate and configure to be used in your runtime environment together with the private key.
  • Example using curl which will list the newly created certificate

curl  --cert certificate.pem --key private-key.pem  -H "Authorization: Basic $API_TOKEN" https://api-global.klarna.com/v2/account/integration/credentials/client-certificate

• After the certificate has been returned, the APIs will return a response header including the status of the MTLS verification. The header returned is Klarna-Mtls-Verification-Status and the value is one of NOT_PRESENT, VALID and INVALID so that the configuration can be verified before enforcing.
• When the integration has been setup and requests returns VALID status it's time to enforce access security. This can be done using the enforceMTLSAuthorizationAPIendpoint.
  • Example using curl to enforce mTLS to a specific time in the future.
  • The enforced_from timestamp should meet the following criteria.
    • The enforcement time cannot be in the past.
    • The enforcement time can be NOW.
    • The enforcement time can be at most 3 months in the future.
  • Note: The enforcement takes up to 5 minutes from the configured timestamp.
  • The response from the request shows the applied enforcement via status verbs, ENFORCED or REPORTING.

curl -X PUT --cert certificate.pem --key private-key.pem -H "Content-type: application/json" -H "Authorization: Basic $API_TOKEN" https://api-global.klarna.com/v2/account/integration/client-certificates/enforcement -d '{"enforced_from": "2025-12-12T00:00:00Z"}'

• There is a readMTLSAuthorizationEnforcementStatusAPIendpoint available to get the enforcement status.
  • Example using curl to get mTLS enforcement status.
  • Make sure to use certificate in the request if the enforcement time used in the previous step has passed.

curl -X GET --cert certificate.pem --key private-key.pem -H "Authorization: Basic $API_TOKEN" https://api-global.klarna.com/v2/account/integration/client-certificates/enforcement

• At the enforcement time the mTLS client certificate will be verified on all API-requests and the status header will stop being returned.

• MTLS enforcement can be disabled by deleting the enforcement time (set from the above steps). This can be done using removeEnforcementOfMTLSAuthorizationAPIendpoint.
  • Example using curl to delete mTLS enforcement.

curl -X DELETE --cert certificate.pem --key private-key.pem -H "Authorization: Basic $API_TOKEN" https://api-global.klarna.com/v2/account/integration/client-certificates/enforcement

• CSR Requirements: The CSR should only include the CN and no extra attributes.
• Certificate Validity: The issued certificate is valid for 3 years. You need to monitor its expiration and initiate the renewal process in advance.
• Multiple Certificates: You can have up to 10 active certificates at a time.
• Revoking Certificates: Before revoking an active certificate, ensure a new certificate is issued and installed. Use the partner API revokeCredentialsClientCertificateAPIto revoke the certificate.

1. Issue a new Certificate following the steps above to create and submit a CSR.
2. Install and test the new Certificate, ensuring it works correctly.
3. Revoke the old Certificate, using the Partner API to revoke the old certificate after confirming the new one is functioning.
4. By following these steps, you can ensure a secure and smooth setup of mTLS for your Klarna account.