Glossary / Authorization
DPoP
DPoP (Demonstrating Proof of Possession) is an OAuth 2.0 extension that binds access tokens to the client that requested them by requiring a proof-of-possession key, preventing stolen tokens from being replayed by other parties.
Also: demonstrating proof of possession
DPoP is an OAuth 2.0 mechanism that ties an access token to the specific client that obtained it. When requesting a token, the client generates a public and private key pair and includes a signed DPoP proof in the request. The authorization server binds the resulting token to that key. On every subsequent API call, the client sends a fresh DPoP proof alongside the token, and the resource server verifies that the proof was signed by the same key the token is bound to.
This binding means that if an attacker intercepts the token in transit or extracts it from a log, they cannot use it without also possessing the private key. Traditional bearer tokens, by contrast, can be used by anyone who holds them.
DPoP works at the application layer and does not require mutual TLS or changes to network infrastructure, making it practical for browser-based and mobile applications.
For CIAM, DPoP strengthens customer-facing token security by ensuring that intercepted tokens are unusable, reducing the impact of token theft.
Sources
- IETF RFC 9449, OAuth 2.0 Demonstrating Proof of Possession (DPoP): https://datatracker.ietf.org/doc/html/rfc9449
Related terms
Standards
- IETF RFC 9449