Whether a part of the core or not, there should be a handler that can verify client certificates and possibly make authorization decisions on a per-route basis.

What is the status on that?

There isn't anything pre-baked in TigerTonic, but since it operates on http.Handler's you can wire your own in fairly easily. I will tell you that we do this, and it was very fragile. for example, wrapping the ResponseWriter reference the way a lot of the tt handlers do causes the http.Request.TLS to not get populated because net/http rely on an internal implementation to be present. I haven't had the time to check if this is still the case in 1.3, but basically I would hesitate to release a pre-baked solution for this due to the fragility and documentation burden involved.

Hi mihasya, thank you for your response.