This Zato how-to is about ensuring that only API clients with valid SSL/TLS certificates, including expected certificate fingerprints or other metadata, can invoke selected REST endpoints. In this way, we are making access to the endpoints secure and, at the same time, we can guard against a class of faults related to the Certificate Authority infrastructure.

One of fundamental principles of programming with Zato is that one’s services are typically insulated from inner workings of underlying data formats or security schemes - after all, why bother with mundane tasks such as authentication or authorization, it should be the platform’s job whereas user services should rather focus on their own job.

Zato ESB and app server has grown additional means through which it is now even easier to invoke SOAP services.