temporalio · THardy98 · Dec 2, 2025 · Dec 2, 2025 · Dec 3, 2025 · Dec 3, 2025
@@ -241,7 +241,15 @@ public static unsafe Interop.TemporalCoreClientOptions ToInteropOptions(
             {
                 throw new ArgumentException("Identity missing from options.");
             }
-            var scheme = options.Tls == null ? "http" : "https";
+
+            // Auto-enable TLS when API key is provided and TLS is not explicitly set
+            var tls = options.Tls;
+            if (!string.IsNullOrEmpty(options.ApiKey) && !options.TlsExplicitlySet)
+            {
+                tls = new Temporalio.Client.TlsOptions();
+            }
+
+            var scheme = tls == null ? "http" : "https";
             return new Interop.TemporalCoreClientOptions()
             {
                 target_url = scope.ByteArray($"{scheme}://{options.TargetHost}"),
@@ -251,7 +259,7 @@ public static unsafe Interop.TemporalCoreClientOptions ToInteropOptions(
                 api_key = scope.ByteArray(options.ApiKey),
                 identity = scope.ByteArray(options.Identity),
                 tls_options =
-                    options.Tls == null ? null : scope.Pointer(options.Tls.ToInteropOptions(scope)),
+                    tls == null ? null : scope.Pointer(tls.ToInteropOptions(scope)),
                 retry_options =
                     options.RpcRetry == null
                         ? null

@@ -10,6 +10,8 @@ namespace Temporalio.Client
     /// </summary>
     public class TemporalConnectionOptions : ICloneable
     {
+        private TlsOptions? tls;
+
         /// <summary>
         /// Initializes a new instance of the <see cref="TemporalConnectionOptions"/> class.
         /// Create default options.
@@ -38,9 +40,18 @@ public TemporalConnectionOptions()
         /// Gets or sets the TLS options for connection.
         /// </summary>
         /// <remarks>
-        /// This must be set, even to a default instance, to do any TLS connection.
+        /// This must be set, even to a default instance, to do any TLS connection. If not set and
+        /// <see cref="ApiKey"/> is provided, TLS will be automatically enabled with default options.
         /// </remarks>
-        public TlsOptions? Tls { get; set; }
+        public TlsOptions? Tls
+        {
+            get => tls;
+            set
+            {
+                tls = value;
+                TlsExplicitlySet = true;
+            }
+        }
 
         /// <summary>
         /// Gets or sets retry options for this connection.
@@ -103,6 +114,11 @@ public TemporalConnectionOptions()
         /// </remarks>
         public TemporalRuntime? Runtime { get; set; }
 
+        /// <summary>
+        /// Gets a value indicating whether TLS was explicitly set (even to null).
+        /// </summary>
+        internal bool TlsExplicitlySet { get; private set; }
+
         /// <summary>
         /// Create a shallow copy of these options.
         /// </summary>
@@ -113,7 +129,7 @@ public virtual object Clone()
             var copy = (TemporalConnectionOptions)MemberwiseClone();
             if (Tls != null)
             {
-                copy.Tls = (TlsOptions)Tls.Clone();
+                copy.tls = (TlsOptions)Tls.Clone();
             }
             if (RpcRetry != null)
             {

@@ -0,0 +1,69 @@
+namespace Temporalio.Tests.Client;
+
+using Temporalio.Bridge;
+using Temporalio.Client;
+using Xunit;
+
+public unsafe class TemporalConnectionOptionsTests
+{
+    [Fact]
+    public void ToInteropOptions_AutoEnablesTls_WhenApiKeyProvidedAndTlsNotSet()
+    {
+        var options = new TemporalConnectionOptions("localhost:7233")
+        {
+            ApiKey = "test-api-key",
+            Identity = "test-identity",
+        };
+
+        using var scope = new Scope();
+        var interopOptions = options.ToInteropOptions(scope);
+
+        // TLS should be auto-enabled when API key is provided and TLS not explicitly set
+        Assert.NotNull(interopOptions.tls_options);
+    }
+
+    [Fact]
+    public void ToInteropOptions_RespectsExplicitTlsNull_WhenApiKeyProvided()
+    {
+        var options = new TemporalConnectionOptions("localhost:7233")
+        {
+            ApiKey = "test-api-key",
+            Identity = "test-identity",
+            Tls = null, // Explicitly disable TLS
+        };
+
+        using var scope = new Scope();
+        var interopOptions = options.ToInteropOptions(scope);
+
+        // TLS should remain disabled when explicitly set to null
+        Assert.Null(interopOptions.tls_options);
+    }
+
+    [Fact]
+    public void ToInteropOptions_TlsDisabled_WhenNoApiKeyAndTlsNotSet()
+    {
+        var options = new TemporalConnectionOptions("localhost:7233");
+
+        using var scope = new Scope();
+        var interopOptions = options.ToInteropOptions(scope);
+
+        // TLS should be disabled when no API key and TLS not set
+        Assert.Null(interopOptions.tls_options);
+    }
+
+    [Fact]
+    public void ToInteropOptions_TlsEnabled_WhenExplicitlySet()
+    {
+        var options = new TemporalConnectionOptions("localhost:7233")
+        {
+            Identity = "test-identity",
+            Tls = new TlsOptions(),
+        };
+
+        using var scope = new Scope();
+        var interopOptions = options.ToInteropOptions(scope);
+
+        // TLS should be enabled when explicitly set
+        Assert.NotNull(interopOptions.tls_options);
+    }
+}
@@ -1,6 +1,7 @@
 <Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
+    <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <CopyLocalLockFileAssemblies>true</CopyLocalLockFileAssemblies>
     <GenerateProgramFile>false</GenerateProgramFile>
     <ImplicitUsings>enable</ImplicitUsings>