Mutual TLS in Creator
In a nutshell
Mutual TLS (mTLS) in Zoho Creator establishes a secure, certificate-based communication with external domains. It verifies both parties involved in the connection, offering stronger authentication and protection against common security threats.
Availability
- Currently, this feature is available on an on-demand basis and can only be enabled by support@zohocreator.com.
1. Overview
In modern cloud applications, integration security is critical to protecting sensitive data exchanged between systems. Most APIs rely on Transport Layer Security (TLS) to encrypt data in transit and verify that the client is communicating with a trusted server. This is known as one-way TLS, where only the server presents a certificate during the handshake.
Mutual TLS (mTLS) extends this model by requiring both the client and the server to present X.509 certificates during the TLS handshake. This enables two-way authentication, ensuring that both parties verify each other’s identity before any data is exchanged. The result is a secure, encrypted channel between two trusted systems.
In Zoho Creator, mTLS allows your application to establish a secure connection with external domains by validating certificates on both ends. During the handshake, Zoho Creator (as the client) and the third-party service (as the server) exchange and authenticate certificates. This mutual verification helps prevent:
- Unauthorized access
- Man-in-the-middle attacks
- Service impersonation
Because both endpoints are required to prove their identity, mTLS is ideal for high-trust, compliance-sensitive environments.
1.1 Benefits of using mTLS in Creator
Strong security and trust
- Ensures encrypted communication across public or private networks
- Validates both endpoints through mutual certificate exchange
- Reduces risk of unauthorized API access or spoofed services
Enterprise-grade protection
Organizations operating at scale or handling critical data can rely on mTLS for:
- Enterprise-grade security: Secure connections for internal APIs, third-party services, or partner integrations
- HIPAA-ready architecture: Suited for healthcare applications that manage electronic health records (EHRs) and PHI
- Zero Trust alignment: Reinforces a Zero Trust model by requiring both identity and intent verification
- Compliance support: Suitable for organizations governed by ISO 27001, PCI-DSS, GDPR, and other data protection frameworks
1.2 Navigation guide
Navigate to the Connections tab under Microservices section. Once Mutual TLS has been enabled on demand for your account by the Creator support team, it will be listed as a system connection with a "Not connected" status.
1.3 Setting up a mTLS connection
Setting up mTLS involves downloading a self-signed certificate from Zoho Creator and importing it into the third-party domain you want to connect with. Once configured, all requests from Zoho Creator to that external service are encrypted and verified. To use mTLS in Zoho Creator, you’ll first need to request access from the support team.
- Navigate to the Connections tab under Microservices section once mTLS has been enabled where it will be listed as a system-generated connection.
- Click the ellipsis icon present on the Mutual TLS connection card and click Authorize to begin whitelisting the domains that should communicate securely using mTLS.
- In the configuration popup that follows, use the highlighted link to download the public certificate in .pem format.
- Import this certificate into the trust-store of your third-party service. After uploading the certificate, on hitting the respective API endpoint, communication will remain secured by mtls.
- Enter the domains that support mTLS authentication and require to be whitelisted for secure communication, click Continue.
Note: A few services that support mTLS are SAP, AWS, Microsoft Azure, ServiceNow, Oracle Cloud APIs, SalesForce, and Plaid.
Once mTLS has been configured and the certificate is uploaded in the third party trust store, the third-party service will accept requests from Zoho Creator after verifying its identity via the imported certificate. This means the third-party will now trust Creator and vice versa.
Disabling the mTLS support
To temporarily disable the mTLS property:
- Navigate to the Connections tab.
- Click the ellipsis icon beside the mTLS item and click Disable. This disables mutual authentication until re-enabled.
If your account has been enabled with the mTLS property in the backend, but you choose to disable the auto-created Mutual TLS system connection, mTLS support will no longer apply to the whitelisted domains. In this case, mutual TLS communication will be temporarily suspended until the connection is re-enabled.
1.4 Certificate details
Property | Details |
Certificate Format | .pem (Privacy Enhanced Mail) |
Key Size | 4096-bit RSA |
Certificate Standard | X.509 v3 |
Issued By | Zoho (self-signed certificate) |
Validity | 5 years from the date of generation |
Metadata Included | Subject, Issuer, Public Key, Validity period |
Compatibility | Fully compatible with most third-party systems that support mTLS |
Downloaded certificates contain all necessary metadata (subject, issuer, public key, validity) to establish mutual trust between Creator and third-party systems. Once the certificate expires, you'll need to download a new one by authorizing the mTLS system connection enabled in your account and re-import it into your external service to ensure continued secure communication.
Zoho Creator currently provides a self-signed certificate. This type of certificate is fully capable of establishing trust between Zoho and the third party service.
Note: If you need to use a different key size or certificate file format such as .crt, .der, or .pfx, please contact support@zohocreator.com.
1.5 Use Cases
Healthcare
A healthcare provider uses a Zoho Creator application called Medical Bridge to manage patient referrals and transmit sensitive health data to external diagnostic labs. To ensure HIPAA compliance and prevent unauthorized access, the provider configures Mutual TLS under the Connections tab in Zoho Creator. When a referral is submitted, Medical Bridge sends the patient’s encrypted data via API to the lab's system.
Assume the lab uses Oracle Health, an EHR platform that supports mTLS. During the API call, Medical Bridge presents its digital certificate, which Oracle Health validates to confirm the request originates from an authorized source. Simultaneously, Oracle’s certificate is verified by Medical Bridge, completing a secure, mutual handshake. This setup ensures sensitive data is shared only between verified systems, supporting secure interoperability between healthcare platforms.
Procurement
A large manufacturing company automates its purchase order workflows using a Zoho Creator application. Some vendors require mTLS authentication to accept order data via API. The company configures mTLS in Creator by enabling the feature through support and completing the setup in the Connections tab.
Let’s say one such vendor operates on SAP Business Technology Platform, which supports mTLS. When the Creator app sends a purchase request, SAP validates Creator’s certificate to ensure it comes from a trusted source, while Creator verifies SAP’s certificate in return. This mutual verification helps meet industry security standards like ISO 27001 and PCI-DSS, ensuring encrypted, authenticated communication throughout the procurement cycle.
2. Points to note
- Mutual TLS (mTLS) must be enabled for your Creator account by contacting support@zohocreator.com.
- The public certificate provided by Creator is in .pem format with a 4096-bit key size and follows the X.509 v3 standard.
- Zoho Creator currently issues a self-signed certificate, which is fully functional for trusted communication with supported external services.
- Disabling the system-generated mTLS entry from the Connections tab will temporarily suspend mutual TLS communication for whitelisted domains.
3. Related topics
Access your files securely from anywhere
Zoho CRM Training Programs
Learn how to use the best tools for sales force automation and better customer engagement from Zoho's implementation specialists.
Zoho DataPrep Personalized Demo
If you'd like a personalized walk-through of our data preparation tool, please request a demo and we'll be happy to show you how to get the best out of Zoho DataPrep.
- Zoho Workerly Home
- Forums
- Connect With Us:
- Zoho Recruit Home
- Forums
- Connect With Us:
New to Zoho Writer?
Create. Review. Publish.
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho CRM Plus?
Deliver unforgettable customer experiences
New to Zoho Marketing Plus?
Everything you need to run your marketing
New to Zoho Marketing Plus?
Everything you need to run your marketing
You are currently viewing the help pages of Qntrl’s earlier version. Click here to view our latest version—Qntrl 3.0's help articles.
New to Zoho Survey?
Zoho Sheet Resources
Zoho Forms Resources
New to Zoho Sign?
Zoho Sign Resources
Sign, Paperless!
New to Zoho TeamInbox?
Zoho TeamInbox Resources
New to Zoho ZeptoMail?
Design. Discuss. Deliver.
New to Zoho Workerly?
New to Zoho Recruit?
New to Zoho CRM?
New to Zoho Projects?
New to Zoho Sprints?
New to Zoho Assist?
New to Bigin?
Related Articles
Adding an administrator to Creator account
Administrators in Zoho Creator have full access across the platform, including both edit and live modes of applications, BI & Analytics, and Integration Flows. They can build and edit application schemas, manage all application data, handle user ...Zoho Creator Product Catalog
Overview Zoho Creator is a powerful low-code platform that enables anyone to build resourceful enterprise-grade applications quickly with minimal programming knowledge. With Zoho Creator you can build, deploy, and manage workplace tools for your ...FAQs: Zoho Creator - Starter Guide
This page covers essential insights into Zoho Creator, a low-code platform offering support for multiple languages, shared responsibility models, and the unique Deluge coding language, providing comprehensive assistance for your business needs. What ...Limitations: Pages
General An HTML snippet can only contain up to approximately 500 KB code or 450,000 characters. When you download a page as PDF and if the resulting PDF it has reports embedded in the page, the PDF will show only the records visible within the ...Limitations: General
Application specific PDF Generation Currently, Zoho Creator only supports PDF exporting for list reports and pages. Further, the PDF format for a list report does not support grouping and summarizing columns with numerical values within the report. ...
New to Zoho LandingPage?
Zoho LandingPage Resources