Service to Service TLS

Let's dive into how to set up a client to communicate with a backend API over TLS.


This guide picks up where the Local HTTPS example left off. If you haven't already setup local encryption, please do that first.

Click a language to see its example:

Add the Client

First you will update the service that was setup in the previous guide, Local HTTPS, to have a client. In this example, that's a Go client.

  1. Go to the Anchor Dashboard (opens in a new tab) and click on the service that you created previously, titled "go-demo".

  2. Then click the Edit button: edit-button


  1. On the Edit Service page in the Clients section, enter go-client for the "Client name".

  2. Select a "client type" of Go. Then click Add client.


  1. Once you see the go-client card in the "Create new client" section, click Update Service at the bottom of the page:


This brings up the Setup Guide.

Setup the Client

In the go-demo Setup Guide you'll now see a section titled "Go client setup".

Anchor auto-generates a module for this client which you will download and unzip, then initialize and add to your project.

  1. Click Download module to download the module to the tmp directory of the go-demo project.

  2. Unzip the module

    • Replace [VERSION] with the version of the file you just downloaded, for example pki-go@v0.1.6
    unzip tmp/pki-go[VERSION]
  3. Rename the unzipped module

    mv anchor.dev/[ORGNAME]/localhost/pki-go[VERSION] anchor.dev/[ORGNAME]/localhost/pki-go
  4. Initialize the module

    • Run this command with the path to the module you just unpacked:
    go work init && go work use . ./anchor.dev/[ORGNAME]/localhost/pki-go && go mod edit && go mod tidy
  5. Add the module to your import block in main.go

    • Look in the Setup Guide in Step 4, Update the HTTP Client, to find the module import with the [ORGNAME]
    • Your import block will look something like this:
    import (
        _ "github.com/joho/godotenv/autoload"
        _ "github.com/anchordotdev/anchor-go"
  6. In the ping_backend() function, uncomment the pki.Init() and RootCAs: anchor.Certs.CertPool(), lines:

func ping_backend(url string) string {
  // load the Localhost CA certificates.
  // configure http client to use the anchor CA certificates.
  client := &http.Client{
    Transport: &http.Transport{
      TLSClientConfig: &tls.Config{
        RootCAs: anchor.Certs.CertPool(),

Your app is now ready to communicate with services that present Anchor-issued certificates for your organization.

Point the app at a Backend

  1. In your .env file, uncomment the BACKEND_URL that corresponds to the service you want your go app to connect to.

  2. Update the port in BACKEND_URL to the port that the service is running on.

# These env vars can be found in the setup guide after a "go-demo" service is created in Anchor.
# Optional, used for setting up a service-to-service demo.

Visit in a Browser

Start the app:

go run ./main.go


The app is available at https://go-demo.lcl.host:[PORT], where [PORT] is specified in the .env file above. Note: The port for your app will be different.

Load the site in your browser over HTTPS.


Now that a BACKEND_URL has been provided, the app automatically pings the endpoint specified by BACKEND_URL over https, and displays the results.