I’ve been trying to resolve a failing API integration for several weeks and have finally isolated what appears to be a bug.
THE ISSUE
When a Power Automate HTTP action is configured with both:
•Authentication type: Client Certificate
•A manual Authorization: Basic header
Power Automate silently drops the client certificate during the TLS handshake. The certificate is never presented to the server, causing the mTLS connection to fail.
The identical call in Azure Logic Apps (same certificate, same Authorization header) is successful.
I’ve tested with certificates from Azure Key Vault and also with the PFX base64-encoded inline…same result either way.
Tested successfully with other platforms (postman, SAP APIM, curl, RPA software). Only Power Automate seems to have this problem and I don’t know how to fix it (or if it can be fixed)
For testing, I did a test with badssl’s public certificate. I was able to make the HTTP call using their certificate in Power Automate. As soon as I added their Authorization header, the same call failed.
It looks like Power Automate treats the presence of an Authorization header as the active authentication mechanism and stops presenting the client certificate at the TLS layer. Logic Apps handles the two authentication mechanisms independently and correctly. TLS (certificate) and HTTP (Authorization header) are separate layers and should not interfere with each other.
This makes it impossible to call any API that requires both mTLS client certificate authentication AND HTTP Basic Auth credentials from Power Automate despite this being a valid and common enterprise API security pattern.
I opened a support ticket with Microsoft but I haven’t really gotten any solid info back. Has anyone else seen this? Has anyone found a workaround within Power Automate ?