Home

DPoP

DPoP, or Demonstrating Proof of Possession, is a mechanism used to bound OAuth 2.0 access tokens to a specific client and its cryptographic key. It is implemented as an extension to OAuth 2.0 and in practice uses a per-request proof of possession to prevent token replay and misuse.

How it works

A client starts by generating a public/private key pair and registering the public key with the authorization

Components and relation to tokens

DPoP uses standard JWTs and JSON Web Keys (JWKs). The access token can include a confirmation claim

Security advantages and limitations

DPoP reduces the risk of token theft by binding tokens to a holder’s key and to a

See also: OAuth 2.0, OpenID Connect, Proof of Possession, mTLS, JWT, JWK.

server.
When
the
client
obtains
an
access
token,
the
token
can
be
bound
to
the
client’s
key.
For
each
API
request
to
a
protected
resource,
the
client
includes
a
DPoP
proof
in
an
HTTP
header.
This
proof
is
a
JSON
Web
Token
signed
with
the
client’s
private
key
and
contains
claims
such
as
iat
(issued
at),
htm
(HTTP
method),
htu
(HTTP
URI),
and
jti
(a
unique
token
identifier
to
prevent
replay).
The
resource
server
validates
the
DPoP
proof
against
the
registered
public
key
and
confirms
that
the
htm
and
htu
match
the
current
request
and
that
the
jti
has
not
been
used
before.
(cnf)
that
links
it
to
the
client’s
key,
ensuring
the
token
cannot
be
used
by
a
different
client.
The
DPoP
proof
is
checked
at
the
resource
server
prior
to
granting
access.
specific
request
context,
mitigating
replay
and
misuse
across
origins.
Implementation
requires
support
from
both
authorization
and
resource
servers,
careful
key
management,
and
handling
key
rotation
and
token
binding
across
sessions.