Entities operating in an EU/EEA member state under the Markets in
Crypto-Assets (MiCA) regulation must use mTLS. Any other Circle Mint customer
with an active API key can opt in to mTLS for extra security. Until Circle
enables mTLS on your entity, standard API key authentication continues to work
with no changes.
Prerequisites
Before you begin, ensure that you’ve:- Contacted Circle Support or your Circle account manager to request that Circle enable mTLS on your entity.
- Installed OpenSSL 1.1.1 or later on your machine for key pair and CSR operations.
- Configured access to the Mint Console with multi-factor authentication (MFA).
Steps
Generate a key pair
Generate an Elliptic Curve Digital Signature Algorithm (ECDSA) P-256 key
pair. Circle accepts only ECDSA P-256 keys. RSA keys and other curves are
rejected.
Generate a CSR
Generate a PKCS#10 CSR from your key pair:Replace
<Your Organization Name> and <Your Organization> with your
entity’s legal name. These values help Circle identify your request. Circle
assigns the final certificate fields during issuance.Verify the CSR
Before submitting, confirm the CSR uses the correct key type:The output must show a public key algorithm of
id-ecPublicKey and an ASN1
OID of prime256v1.Submit your CSR to Circle
Provide the following to Circle Support or
your Circle account manager:
- Your entity ID, found in the Mint Console under Settings.
- Your CSR file (
client.csr). - A request to enable mTLS on your entity.
Receive and verify your signed certificate
Circle delivers the following files through a secure, out-of-band channel:Both commands must return the same SHA-256 hash. If they differ, the
certificate and key do not form a valid pair.
client-cert.pem: your signed client certificate, valid for 365 days.ca-chain.pem: the CA certificate chain.
Generate a new API key
When Circle enables mTLS on your entity, all existing API keys are revoked
immediately. You must generate a new key before you can make API calls.
- Sign in to the Mint Console.
- Complete the MFA challenge. MFA is required for all API key operations on mTLS-enabled entities.
- Generate a new API key and store it securely.
API keys on mTLS-enabled entities have a maximum lifetime of 180 days.
Plan to rotate your key before it expires. See
How-to: Rotate an mTLS API key for the
rotation procedure.
Make an authenticated API call
Call the hostname that matches how you enabled mTLS:To confirm that the TLS handshake is succeeding and that TLS 1.3 is in use,
add the Look for
- MiCA-regulated: Use the regional EU hostname
api-eu.circle.comfor all API traffic. Requests sent toapi.circle.comare rejected. - Optional (non-MiCA): Continue to use the standard hostname
api.circle.com. Your endpoint URLs are unchanged.
api-eu.circle.com. If you enabled mTLS
optionally, substitute api.circle.com.Combine your client certificate and API key in a single request. The
following example retrieves your account balances:-v (verbose) flag:SSL connection using TLSv1.3 in the verbose output. Circle
supports TLS 1.2 and TLS 1.3, but TLS 1.3 is recommended.Validate Circle's server certificate
Complete the two-way trust relationship by validating the server certificate
Circle presents during the handshake. How you validate it depends on why you
enabled mTLS.If you enabled mTLS under MiCA, Circle presents a Qualified Website
Authentication Certificate (QWAC) at
api-eu.circle.com. Choose one of the
following approaches to validate it.Option A: Use a payment aggregator (recommended)Delegate certificate validation to a payment aggregator. The aggregator
handles trust chain verification, revocation checks, and PSD2 compliance
validation on your behalf. This approach reduces integration complexity and
ongoing maintenance.Option B: Validate directly against EU Trusted ListsIf you validate Circle’s server certificate directly, your implementation
must:- Verify the certificate chain against the root certificate authorities (CAs) published on the EU Trusted Lists.
- Confirm PSD2 QcStatements are present in the certificate. These statements attest that the certificate is a QWAC issued for PSD2 purposes.
- Check OCSP revocation status to ensure the certificate has not been revoked.
- Verify the Organization Identifier and NCA in the certificate match Circle’s registration details.
api.circle.com. Validate it the same way you
validate any HTTPS connection, using the CA certificate chain
(ca-chain.pem) Circle provides. The QWAC options above don’t apply to you.Troubleshooting
The following table lists common errors and their causes.| Error | Cause | Resolution |
|---|---|---|
401 “Invalid credentials” | The API key is invalid, expired, or was revoked when mTLS was enabled. | Generate a new API key from the Mint Console with MFA. |
403 “Valid mTLS client certificate required” | No client certificate was presented, or the certificate does not match the entity. | Verify that you pass --cert and --key in your request and that you use the certificate Circle issued for your entity. |
| TLS handshake failure | The certificate and private key do not match, the certificate format is unsupported, or the certificate is expired. | Compare the certificate and key public key hashes to verify the cert/key pair, as shown when you received your certificate. Confirm the certificate has not expired. |
| Connection rejected or timeout (MiCA) | The request was sent to api.circle.com instead of the regional EU hostname. | If you enabled mTLS under MiCA, update your integration to call api-eu.circle.com for every endpoint. |