mTLS piggyback

Present a client certificate to an mTLS upstream — your app sends none.

plain client, no certificate → TLS Lane → mTLS-required upstream

When you need it: An upstream requires client-certificate auth, but your client can't present one — a legacy app, a script, a microservice with no cert plumbing. You provision one operator identity on the agent.
How it works: TLS Lane presents your provisioned client certificate and signs the handshake with the key it holds — real proof-of-possession. One identity for every upstream.
Good to know: No trust-model change: ordinary forward-proxy client auth. The agent holds the private key. The provisioned cert can be a real client's cert+key if you hold it.
TLS version: TLS 1.2 and 1.3

Enable sudo tlslane splice --client-cert <pem> --client-key <pem>