DPoP

Tutorials for Demonstrating Proof-of-Possession (DPoP)

What is DPoP?

DPoP, or Demonstrating Proof of Possession, is an extension that describes a technique to cryptographically bind access tokens to a particular client when they are issued.

Why DPoP?

Bearer Token:

DPoP-bound Token:

How DPoP Works?

Key Concepts

Concept

Description

DPoP Proof

A JWT signed with the client's private key that proves possession

JWK Thumbprint

SHA-256 hash of the public key, used as key identifier

Token Binding

Links access token to a specific key pair via cnf.jkt claim

Nonce

Server-generated random value to prevent replay attacks

Replay Protection

Each proof is bound to specific HTTP method + URL + timestamp

ath Claim

Access Token Hash - confirms proof matches the token being used

Tutorials

Protect Your API

What You'll Learn: Protect bearer token with DPoP.

Generate Proof

What You'll Learn: Generate proof for auth server.

Found an issue on this page? Report it on our feedback form.

PreviousPermissions NextProtect Your API

Last updated 7 days ago

Was this helpful?

hashtagWhat is DPoP?

hashtagWhy DPoP?

hashtagHow DPoP Works?

hashtagKey Concepts

hashtagTutorials

hashtagProtect Your API

hashtagGenerate Proof