Support TLS client certificate and key configuration in built-in fetch (2-way TLS)

[alinayebi9080]

Goals

The built-in fetch provided by Next.js (when used in server components or API routes) currently lacks support for configuring client TLS options, such as cert, key, and ca for mutual TLS (2-way TLS) authentication.

This limitation prevents secure communication with external services that require 2-way TLS, which is common in enterprise APIs or private services.

Non-Goals

No response

Background

I'd like the ability to pass custom HTTPS agent options to fetch, such as:

fetch('https://secure-api.com/data', {
  agent: new https.Agent({
    cert: fs.readFileSync('client-cert.pem'),
    key: fs.readFileSync('client-key.pem'),
    ca: fs.readFileSync('ca-cert.pem'),
    rejectUnauthorized: true,
  })
});

### Proposal

i have no idea

[baljir0901]

Hey, just wanted to chime in and say I totally agree with this idea.

---

🔐 Why it matters

A lot of enterprise APIs (especially in finance, healthcare, or internal B2B systems) require mutual TLS — that means the client has to present a certificate and private key to access the service securely.

But right now, the built-in fetch() in Next.js doesn’t let us pass an HTTPS agent with those credentials. So we can’t set:

• cert
• key
• ca

...which makes it impossible to call those secure services unless we use a workaround.

---

⚠️ Current workaround

Right now, we have to fall back to using axios or the native Node https.request():

import axios from "axios";
import https from "https";
import fs from "fs";

const agent = new https.Agent({
  cert: fs.readFileSync("client-cert.pem"),
  key: fs.readFileSync("client-key.pem"),
  ca: fs.readFileSync("ca-cert.pem"),
});

const res = await axios.get("https://secure-api.com/data", {
  httpsAgent: agent,
});
But this isn't ideal because it:

Adds another dependency

Loses some of Next.js’s built-in fetch benefits

Breaks consistency between API routes and server components

✅ What would be great
It would be awesome if fetch() supported an agent option natively, like:

ts
Copy
Edit
await fetch("https://secure-api.com/data", {
  agent: new https.Agent({ ... }),
});
Even a simple way to globally customize the fetch used in SSR would be a huge step forward.

Anyway, I just wanted to share my support — thanks for bringing this up!

Hope this helps make your day a little easier 🙌