Req uses Finch as its default adapter and Finch uses Mint (which allows all of the Erlang :gen_tcp and :ssl socket options to be passed).
So looking at the Req run_finch/1 documentation we see :connect_options which contains :transport_opts which defers to Mint for the details.
The mutual TLS options for Mint was answered here as not all options are covered in the Mint documentation, only the ones they alter the semantics of.
So your code will be something like:
Req.post!(url, json: payload, connect_options: [transport_opts: [cacerts: :public_key.cacerts_get(), certfile: ~c"client.pem", password: secret_charlist]])
Note that Erlang needs charlists passed.
