highights

What to expect

Some key insight to consider when interacting with the Identity Plus selfauthority platform.

Everything X.509 certificates & mutual TLS

There are no user-names, no passwords, the identity anchor is your device and the X.509 client certificate associated.

All Identity Plus services operate solely over mtutual TLS and while X.509 certificates do not need mTLS, mTLS is dependant on X.509 client certificates, therefore nothing will work without them

Get your first certificate

Identity and Access Control are independent

Identity and Access control are separate functions, with fully independent ownership. As a service or organization you should not expect to control identities. You don't need to - you strongly control access.

As clients, you should not expect to manage your identity with any one of the services you access. Your identity is yours, you manage it in Identity Plus.

Open Source - use, modify, contribute

Most of the Selfauthority toolkit is available as open source. You can use them at their full capacity both on the identity and access control services, in this latter case with any plan - including free plan.

Feel free to modify the code and tailore it to your needs, and we would be greatful if you contributed your additions to the repo in case they are complementary. You can also submit feature request and suggestions or vote to steer the direction of the development

Vist us on Github

mTLS Identity Tooling

Selfauthority CLI

Command line identity management

Linux Windows MacOS AGPL-3.0

The primary tool for provisioning, renewing, and managing mTLS identities from the command line. Built in Go - compile once for any platform.

  • Enroll any device or service agent using an autoprovisioning token
  • Renew certificates on demand or via cron - continuity without manual intervention
  • Issue service identity server certificates signed by the Identity Plus Private CA
  • Assist Enroll managed services - delegate provisioning without sharing credentials
  • CI / CD ready - self-provision X.509 certificates in any pipeline, OS-agnostic

GitHub Repository

mTLS Persona

Identity wrapper for legacy TCP clients

Linux Windows MacOS AGPL-3.0

A transparent TCP forwarder that gives any legacy client a full mTLS identity with no code modifications. The application believes it communicates locally over plain text; Persona wraps that traffic in a mutually authenticated TLS channel before it leaves the machine.

  • No code changes to the client - works with databases, queues, any TCP service
  • Identity at the perimeter of one - Persona is logically part of the client it represents
  • Multiple mappings per instance - one Persona, many upstream connections
  • High performance event-driven, threaded, hardware-accelerated encryption where available
  • Works alongside the CLI for automatic certificate rotation

GitHub Repository

mTLS ID - Mobile App

Identity manager for Mobile Devices

Android

The human-facing Self-Authority identity. A cryptographic mTLS ID that lives on the phone to enable connection level, the TLS layer authentication - before any application, login page, or session is involved.

  • Personal mTLS identity the phone is the certified identity carrier, not the password
  • Enroll and manage your Self-Authority identity on the go
  • Works with any mTLS-aware service including those gated by the mTLS Gateway
  • Same uniform identity architecture as machines and AI agents - mobile browsers can use the identity for transparent authentication

Google Play

mTLS Perimeter Tooling

mTLS Gateway

Command line identity management

Docker Linux Windows MacOS AGPL-3.0

A high-precision reverse proxy built natively on mTLS. Drop it in front of any HTTP or TCP service and enforce Identity Gated Execution - no code changes to the upstream service required. Authentication happens at the connection layer, before any application data is exchanged.

  • Turnkey IGE - gate any legacy HTTP or TCP service with zero upstream changes
  • Flexible access control full Gateway RBAC, application mode, or hybrid per route
  • Built-in OIDC / OAuth2 provider translate mTLS identity into corporate SSO with automatic account provisioning
  • Trusted Headres inject verified identity and role into HTTP headers for instant zero-trust integration with legacy apps
  • Per-path access control - enforce mTLS on specific URL prefixes, define role requirements per route
  • Multi-perimeter - gate any number of upstream services from a single Gateway instance, each independently configured
  • Certificate automation - server and agent certificates rotate automatically; Let's Encrypt and Identity Plus private CA supported
  • Full audit logging - configurable verbosity and retention, log files available on host for long-term storage

Documentation
GitHub Repository

Wordpress Integration

Identity wrapper for legacy TCP clients

Wordpress AGPL-3.0

Brings mTLS identity directly into WordPress. Authentication happens at the TLS layer before the login page loads. The admin panel becomes structurally inaccessible to any device without a valid mTLS ID, regardless of application-layer vulnerabilities.

  • Pre-login authentication - TLS-layer check before any page renders; no login page, no brute-force surface
  • Device-bound access - the admin panel is only reachable from enrolled devices, not from stolen credentials alone
  • Automatic SSO enrolled devices are signed in silently; two and three factor authentication without a separate app
  • Zero-redirect corporate SSO maps mTLS identity to WordPress accounts via organisational relationships
  • Legacy redirect fallback device verification and automatic login via Identity Plus

GitHub Repository

Let us know if you think we can help

Book a Discussion

COMPANY

About Privacy Policy EULA Cookie Settings

SUPPORT

Pricing Contact Us Report a Problem loading contact email

IDENTITY

Create Identity Self Authority mTLS Perimeter

FOLLOW US

LEGAL

Copyright © 2025,
Identity Plus, Inc., New Hampshire, USA,
All rights reserved