Skip to main content
Use this guide to configure TLS in LangSmith. Start by mounting internal certificate authorities (CAs) so your deployment trusts the right roots system‑wide, for database or external service calls. You can then configure Playground-specific mTLS for communicating securely with supported model providers. This page covers:
  • Mounting internal certificate authorities (CAs) system-wide to enable TLS for database connections and Playground model calls
  • Using Playground-specific TLS settings to provide client certs/keys for mTLS with supported model providers

Mount internal CAs for TLS

You must use Helm chart version 0.11.9 or later to mount internal CAs using the configuration below.
Use this approach to make internal/public CAs trusted system‑wide by LangSmith (Playground model calls and database/external service connections).
  1. Create a file containing all CAs required for TLS with databases and external services. If your deployment is communicating directly to beacon.langchain.com without a proxy, make sure to include a public trusted CA. All certs should be concatenated in this file with an empty line in between.
-----BEGIN CERTIFICATE-----
<PUBLIC_CA>
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
<INTERNAL_CA>
-----END CERTIFICATE-----

...
  1. Create a Kubernetes secret with a key containing the contents of this file.
kubectl create secret generic <SECRET_NAME> --from-file=<SECRET_KEY>=<CA_BUNDLE_FILE_PATH> -n <NAMESPACE>
  1. If using custom CA for TLS with your databases and other external services, provide the following values to your LangSmith helm chart:
Helm
config:
  customCa:
    secretName: <SECRET_NAME> # The name of the secret created in step 2.
    secretKey: <SECRET_KEY> # The key in the secret containing the CA bundle.

clickhouse:
  external:
    tls: true # Only enable if you want TLS for Clickhouse.
postgres:
  external:
    customTls: true # Only enable if you want TLS for Postgres.
  1. Make sure to use TLS supported connection strings:
    • Postgres: Add ?sslmode=verify-full&sslrootcert=system to the end.
    • Redis: Use rediss:// instead of redis:// as the prefix.

Use custom TLS certificates for model providers

This feature is currently only available for the following model providers:These TLS settings apply to all invocations of the selected model providers (including Online Evaluation). Use them when the provider requires mutual TLS (client cert/key) or when you must override trust with a specific CA for provider calls. They complement the internal CA bundle configured above.
You can use custom TLS certificates to connect to model providers in the LangSmith Playground. This is useful if you are using a self-signed certificate, a certificate from a custom certificate authority, or mutual TLS authentication. To use custom TLS certificates, set the following environment variables. See the self hosted deployment section for more information on how to configure application settings.
  • LANGSMITH_PLAYGROUND_TLS_MODEL_PROVIDERS: A comma-separated list of model providers that require custom TLS certificates. Note that azure_openai, openai, and custom are currently the only supported model providers, but more providers will be supported in the future.
  • [Optional] LANGSMITH_PLAYGROUND_TLS_KEY: The private key in PEM format. This must be a file path (for a mounted volume). This is usually only necessary for mutual TLS authentication.
  • [Optional] LANGSMITH_PLAYGROUND_TLS_CERT: The certificate in PEM format. This must be a file path (for a mounted volume). This is usually only necessary for mutual TLS authentication.
  • [Optional] LANGSMITH_PLAYGROUND_TLS_CA: The custom certificate authority (CA) certificate in PEM format. This must be a file path (for a mounted volume). Use this to mount CAs only if you’re using a helm version below 0.11.9; otherwise, use the Mount internal CAs for TLS section above.
Once you have set these environment variables, enter the LangSmith Playground Settings page and select the Provider that requires custom TLS certificates. Set your model provider configuration as usual, and the custom TLS certificates will be used when connecting to the model provider.
I