All Collections
Portal Pages
brainCloud app security settings
brainCloud app security settings

Setting the minimum TLS version for API calls

Paul Winterhalder avatar
Written by Paul Winterhalder
Updated over a week ago

These article refers to a new screen, Design | Core App Info | Security, added to the portal to help manage the migration to higher security endpoints. Private deployments will not see this screen until such a migration is necessary.

We are hardening the security of our Public BaaS environment (i.e. to enforce TLS 1.2 for all APIs.

Up until 4.10, our Public Baas has accepted TLS 1.0 and 1.1 for API calls to ensure maximum compatibility for older apps. TLS 1.2 is well established now though, and we risk more by allowing 1.0 and 1.1 than we gain in backwards compatibility keeping them. Apologies to those devs that may be affected - but we must all march forward!

To facilitate a manageable transition - we have added an additional API endpoint to our public BaaS. So our public BaaS now supports:

  • - our new API endpoint that supports TLS 1.2 only… (we will further upgrade it to support TLS 1.3 as well when AWS supports it)

  • - this is our legacy endpoint that currently supports TLS 1.0, 1.1 and 1.2. This URL will be re-targeted to the same endpoint as starting June 7, 2022 <- and thus, will no longer support TLS 1.0 and 1.1 from that date forward.

Note that other than the version of TLS enforced, these two endpoints function exactly the same. Your apps and players will not see any difference!

The 4.10 client libraries have been updated to use as the new default serverUrl for API calls. If you are using an older library, you can simply specify "" for the serverUrl parameter of the wrapper Initialize() call - see API Reference.

Once your app is calling the new endpoint, you can then go to the new Design | Core App Info | Security, and set the minimum API TLS to 1.2. Careful though - this will mean that any calls to the older API endpoint ( will be rejected! ← because brainCloud cannot otherwise ensure that they were at least TLS 1.2.

Note - S2S and Builder APIs are also available via the new endpoint. It is recommended that all devs move to these endpoints at their earliest convenience.

Older libraries - Our tests indicate that our older libraries should support TLS 1.2 - but we haven’t been able to exhaustively test across all client platforms. As always, it is recommended that developers keep pace with the latest brainCloud libraries for maximum performance and reliability.

You can always find our latest libraries here:

Migration options

In summary, brainCloud 4.10 allows developers to bump up the minimum level of TLS for client APIs. Developers have two options on how they would like to migrate:

  1. Do nothing - If you do nothing, your app will automatically be upgraded to TLS 1.2 starting on June 7, 2022 when merges with and begins enforcing a minimum TLS of 1.2.

  2. Migrate early - For developers wanting to improve their app security now, the new API and security settings provide the means to de-risk and accelerate the migration – which is definitely convenient for devs maybe going through Facebook’s Privacy Checklists for example. The recommended approach is:

    1. Reconfigure your app to talk to - either by updating to the 4.10 libs - or overriding the serverUrl parameter in wrapper Initialize().

    2. Confirm that your app works just fine

    3. Release the updated build of your app - so that you can get the majority of your player base migrated over

    4. Set the minimum client version of your app to force upgrades for any stragglers.

    5. Adjust the TLS settings of your app to require TLS 1.2. You are done!

Did this answer your question?