How does mTLS provide service-to-service authentication in microservices, and what does a service mesh add?

Mutual TLS (mTLS) extends normal TLS so both sides present and verify X.509 certificates — the client authenticates the server (as usual) and the server authenticates the client. In microservices this gives strong, cryptographic workload identity (each service has a cert tied to its identity, e.g. a SPIFFE ID) plus encryption in transit, replacing weak shared API keys or network-location trust — a core enabler of zero-trust east-west traffic. The hard parts are certificate lifecycle: issuance, short-lived rotation, and revocation at scale. A service mesh (Istio, Linkerd) solves this by injecting sidecar proxies that establish mTLS transparently and automatically rotate certs from a central CA, so application code doesn't manage TLS. mTLS authenticates who the service is; you still need authorization policy (which service may call which) on top.