diff --git a/docs/receiving/using-app-portal/adding-endpoints.mdx b/docs/receiving/using-app-portal/adding-endpoints.mdx
index 0eeffee..40bb88f 100644
--- a/docs/receiving/using-app-portal/adding-endpoints.mdx
+++ b/docs/receiving/using-app-portal/adding-endpoints.mdx
@@ -24,3 +24,30 @@ full descriptions of each endpoint as well as all the fields they send.
 If you don't specify any event types, by default, your endpoint will receive all events, regardless of type.
 This can be helpful for getting started and for testing, but we recommend changing this to a subset later on
 to avoid receiving unexpected messages.
+
+### Configuring mTLS
+
+Svix now supports Mutual TLS (mTLS), per endpoint. At this time this feature is only configurable via API.
+
+- `PUT $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to set the configuration options.
+- `DELETE $SVIX_ROOT/api/v1/app/APP/endpoint/ENDPOINT/mtls` to clear any previously set configuration.
+
+The `PUT` body consists of two keys:
+- `identity` (required) a PEM encoded private key and X509 certificate.
+- `serverCaCert` (optional) a CA cert to use for validating the webhook receiver's cert.
+
+
+Example:
+
+```sh
+# using jq here to escape the newlines and produce a quoted string
+CLIENT_PEM="$(cat client.pem | jq -sR .)"
+
+curl -sS -H "Authorization: Bearer $TOKEN" \
+	-H "content-type: application/json" \
+	-X PUT \
+	-d '{"identity":'"$CLIENT_PEM"'}' \
+	$SVIX_ROOT/api/v1/app/my-app/endpoint/my-endpoint/mtls
+```
+
+When `serverCaCert` is unset, the standard system CA certificates are used to verify the webhook receiver.