From b60273e7fa6a4d77b9e7fb032f1a8ca63b157d2f Mon Sep 17 00:00:00 2001
From: Ben Echols <benjamin.echols@temporal.io>
Date: Wed, 28 Jan 2026 20:28:25 -0800
Subject: [PATCH] Clarify TLS encryption applies to both API key and mTLS auth

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 docs/evaluate/temporal-cloud/security.mdx | 25 +++++++++++++++--------
 1 file changed, 17 insertions(+), 8 deletions(-)

diff --git a/docs/evaluate/temporal-cloud/security.mdx b/docs/evaluate/temporal-cloud/security.mdx
index 85f2962a10..0a1dc16817 100644
--- a/docs/evaluate/temporal-cloud/security.mdx
+++ b/docs/evaluate/temporal-cloud/security.mdx
@@ -52,7 +52,7 @@ By deploying a [Codec Server](/production-deployment/data-encryption) you can se
 The base unit of isolation in a Temporal environment is a [Namespace](/namespaces).
 Each Temporal Cloud account can have multiple Namespaces.
 A Namespace (regardless of account) cannot interact with other Namespaces.
-Each Namespace is available through a secure gRPC (mTLS) endpoint and an HTTPS (TLS) endpoint.
+Each Namespace is available through a secure gRPC endpoint and an HTTPS (TLS) endpoint.
 Temporal Cloud is a multi-tenant service.
 Namespaces in the same environment are logically segregated.
 Namespaces do not share data processing or data storage across regional boundaries.
@@ -79,18 +79,27 @@ See [Nexus Security](/nexus/security) for more information.
 
 ### Encryption
 
-Communication into and out of Namespaces is over TLS.
-All communication within our production environments is over TLS 1.3.
-Data is stored in two separate locations: an Elasticsearch instance (used when filtering Workflows in SDK clients, the [CLI](/cloud/tcld), or the Web UI) and the core Temporal Cloud persistence layer.
-Both are encrypted at rest with AES-256-GCM.
+:::tip TLS vs mTLS
+
+**TLS** (Transport Layer Security) encrypts data in transit. **mTLS** (mutual TLS) is an authentication method where both client and server present certificates to verify identity. All Temporal Cloud connections use TLS encryption. When you choose "mTLS authentication," you're choosing how to prove your identity, not whether your connection is encrypted.
+
+:::
 
-For more information, see [Requirements for CA certificates in Temporal Cloud](/cloud/certificates#certificate-requirements).
+**In transit**: All connections to Temporal Cloud use TLS 1.3 encryption, regardless of your authentication method ([API keys](/cloud/api-keys) or [mTLS certificates](/cloud/certificates)).
+
+**At rest**: Data is stored in two locations: an Elasticsearch instance (used when filtering Workflows in SDK clients, the [CLI](/cloud/tcld), or the Web UI) and the core Temporal Cloud persistence layer.
+Both are encrypted at rest with AES-256-GCM.
 
 ### Identity
 
-Authentication to gRPC endpoints is provided by mTLS per Namespace.
+Authentication to Temporal Cloud gRPC endpoints supports two methods:
+
+- **[API keys](/cloud/api-keys)**: Identity-based authentication using bearer tokens. Recommended for most use cases.
+- **[mTLS certificates](/cloud/certificates)**: Mutual TLS authentication using client certificates issued by your CA.
+
+Both methods provide secure, encrypted connections to Temporal Cloud. Choose based on your organization's security requirements and key management preferences.
 
-For more information, see [How to manage SAML authentication with Temporal Cloud](/cloud/saml).
+For user authentication to the Temporal Cloud UI, see [How to manage SAML authentication with Temporal Cloud](/cloud/saml).
 
 ### Access