---
title: >-
  Card deposit endpoint now requires mTLS certificate - Shopify developer
  changelog
description: >-
  Shopify’s developer changelog documents all changes to Shopify’s platform.
  Find the latest news and learn about new platform opportunities.
source_url:
  html: >-
    https://shopify.dev/changelog/card-deposit-endpoint-now-requires-mtls-certificate
  md: >-
    https://shopify.dev/changelog/card-deposit-endpoint-now-requires-mtls-certificate.md
metadata:
  effectiveApiVersion: ''
  affectedApi: []
  primaryTag:
    displayName: API
    handle: api
  secondaryTag:
    displayName: Update
    handle: update
  indicatesActionRequired: false
  createdAt: '2026-07-15T14:58:45-04:00'
  postedAt: '2026-07-16T12:00:00-04:00'
  updatedAt: '2026-07-15T21:59:36-04:00'
  effectiveAt: '2026-07-16T12:00:00-04:00'
---

# Card deposit endpoint now requires mTLS certificate

DateJuly 16, 2026

FlagsUpdate

SurfacesAPI

Shopify's card-deposit endpoint now requires a Shopify-issued mTLS client certificate. Apps that store cardholder data with the `customerPaymentMethodCreditCardCreate` and `customerPaymentMethodCreditCardUpdate` GraphQL Admin API mutations must first deposit that data at Shopify's `/sessions` card-deposit endpoint to receive a session identifier. That deposit call must present a Shopify-issued certificate by **October 15, 2026**. This is a required change: after enforcement begins, deposit requests will be required to have a valid certificate. If your app deposits cardholder data, you must update.

## What changed

The card-deposit endpoint at `https://checkout-mtls.pci.shopifyinc.com/sessions` is unchanged. What's new is that every request to it must present a Shopify-issued mTLS client certificate. Previously, requests to this endpoint did not require a client certificate.

The GraphQL Admin API vault mutations are unchanged. You continue to call `customerPaymentMethodCreditCardCreate` and `customerPaymentMethodCreditCardUpdate` with the session identifier returned by the deposit call, and your GraphQL Admin API OAuth flow is unaffected.

`customerPaymentMethodRemoteCreate` is out of scope. It imports references to payment methods already held at external gateways and deposits no cardholder data to Shopify.

## Who's affected

This applies to apps that deposit cardholder data to Shopify through `customerPaymentMethodCreditCardCreate` or `customerPaymentMethodCreditCardUpdate`.

Apps that only call `customerPaymentMethodRemoteCreate` to import payment methods from external gateways such as Stripe, Braintree, Authorize.Net, Adyen, or PayPal are not affected and need to take no action.

## Why this matters

All cardholder-data traffic reaching the deposit endpoint must be attributable to an authenticated caller. Requiring a client certificate lets Shopify verify who is depositing card data ahead of Black Friday and Cyber Monday 2026, and is the prerequisite for rejecting unauthenticated deposit traffic.

## What to do

If your app deposits cardholder data, migrate before **October 15, 2026**:

1. Confirm whether your app calls `customerPaymentMethodCreditCardCreate` or `customerPaymentMethodCreditCardUpdate`. If it only calls `customerPaymentMethodRemoteCreate`, no action is required.
2. Request a Shopify-issued client certificate at <shopify-mtls-partnerships@shopify.com>. Include your API client ID and technical point of contact. First certificates are signed manually by Shopify and take a few days, so start early.
3. Present the certificate on your `/sessions` deposit call, and continue passing the returned session identifier to the vault mutations unchanged.
4. Confirm your deposit traffic now arrives with a valid certificate. Shopify validates the cutover on our side.

After your first certificate, rotate it self-serve with Shopify's Certificate Signing Service before the 1-year TTL expires . No Shopify involvement is needed. A missed rotation stops your deposits, so monitor certificate expiry as part of your standard observability.

Apps that haven't migrated by October 15, 2026 lose the ability to deposit new cardholder data once the certificate requirement is enforced.

## Related docs

* [`customerPaymentMethodCreditCardCreate` reference](https://shopify.dev/docs/api/admin-graphql/latest/mutations/customerPaymentMethodCreditCardCreate)
* [`customerPaymentMethodCreditCardUpdate` reference](https://shopify.dev/docs/api/admin-graphql/latest/mutations/customerPaymentMethodCreditCardUpdate)
