diff --git a/api/v1alpha1/mcpserver_types.go b/api/v1alpha1/mcpserver_types.go
index bbcd979..52998b1 100644
--- a/api/v1alpha1/mcpserver_types.go
+++ b/api/v1alpha1/mcpserver_types.go
@@ -160,6 +160,27 @@ type HTTPTransport struct {
 
 	// the target path where MCP is served
 	TargetPath string `json:"path,omitempty"`
+
+	// TLS defines the TLS configuration for HTTPS access to the MCP server.
+	// +optional
+	TLS *HTTPTransportTLS `json:"tls,omitempty"`
+}
+
+// HTTPTransportTLS defines the TLS configuration for HTTP transport.
+type HTTPTransportTLS struct {
+	// SecretRef is a reference to a Kubernetes Secret containing
+	// the client certificate (tls.crt), key (tls.key), and optionally
+	// the CA certificate (ca.crt) for mTLS authentication.
+	// The Secret must be in the same namespace as the MCPServer.
+	// +optional
+	SecretRef string `json:"secretRef,omitempty"`
+
+	// InsecureSkipVerify disables SSL certificate verification.
+	// WARNING: This should ONLY be used in development/testing environments.
+	// Production deployments MUST use proper certificates.
+	// +optional
+	// +kubebuilder:default=false
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
 }
 
 // MCPServerStatus defines the observed state of MCPServer.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 1c2e17e..7ea420e 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -29,6 +29,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPTransport) DeepCopyInto(out *HTTPTransport) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = new(HTTPTransportTLS)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPTransport.
@@ -41,6 +46,19 @@ func (in *HTTPTransport) DeepCopy() *HTTPTransport {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPTransportTLS) DeepCopyInto(out *HTTPTransportTLS) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPTransportTLS.
+func (in *HTTPTransportTLS) DeepCopy() *HTTPTransportTLS {
+	if in == nil { return nil }
+	out := new(HTTPTransportTLS)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InitContainerConfig) DeepCopyInto(out *InitContainerConfig) {
 	*out = *in
diff --git a/config/crd/bases/kagent.dev_mcpservers.yaml b/config/crd/bases/kagent.dev_mcpservers.yaml
index 4a741be..3cb49bc 100644
--- a/config/crd/bases/kagent.dev_mcpservers.yaml
+++ b/config/crd/bases/kagent.dev_mcpservers.yaml
@@ -3471,6 +3471,25 @@ spec:
                       server.over HTTP
                     format: int32
                     type: integer
+                  tls:
+                    description: TLS defines the TLS configuration for HTTPS access
+                      to the MCP server.
+                    properties:
+                      insecureSkipVerify:
+                        default: false
+                        description: |-
+                          InsecureSkipVerify disables SSL certificate verification.
+                          WARNING: This should ONLY be used in development/testing environments.
+                          Production deployments MUST use proper certificates.
+                        type: boolean
+                      secretRef:
+                        description: |-
+                          SecretRef is a reference to a Kubernetes Secret containing
+                          the client certificate (tls.crt), key (tls.key), and optionally
+                          the CA certificate (ca.crt) for mTLS authentication.
+                          The Secret must be in the same namespace as the MCPServer.
+                        type: string
+                    type: object
                 type: object
               stdioTransport:
                 description: StdioTransport defines the configuration for a standard
diff --git a/helm/kmcp-crds/templates/mcpserver-crd.yaml b/helm/kmcp-crds/templates/mcpserver-crd.yaml
index a7a4928..a5af02b 100644
--- a/helm/kmcp-crds/templates/mcpserver-crd.yaml
+++ b/helm/kmcp-crds/templates/mcpserver-crd.yaml
@@ -1990,6 +1990,25 @@ spec:
                       server.over HTTP
                     format: int32
                     type: integer
+                  tls:
+                    description: TLS defines the TLS configuration for HTTPS access
+                      to the MCP server.
+                    properties:
+                      insecureSkipVerify:
+                        default: false
+                        description: |-
+                          InsecureSkipVerify disables SSL certificate verification.
+                          WARNING: This should ONLY be used in development/testing environments.
+                          Production deployments MUST use proper certificates.
+                        type: boolean
+                      secretRef:
+                        description: |-
+                          SecretRef is a reference to a Kubernetes Secret containing
+                          the client certificate (tls.crt), key (tls.key), and optionally
+                          the CA certificate (ca.crt) for mTLS authentication.
+                          The Secret must be in the same namespace as the MCPServer.
+                        type: string
+                    type: object
                 type: object
               stdioTransport:
                 description: StdioTransport defines the configuration for a standard