Security also: Demonstrating Proof of Possession

DPoP

Bind an OAuth token to a client-side public key.

In plain terms

RFC 9449. Theft of just the access token is useless without the matching private key. Replacing bearer tokens for high-value APIs.

Origin

RFC 9449 (September 2023). Solves "stolen bearer token" attacks on OAuth — without DPoP, a leaked access token is enough to impersonate; with DPoP, the attacker also needs the client's private key.

Where it shows up in production

FAPI 2.0 (Open Banking) Required for high-value financial APIs. Bearer tokens alone are deemed insufficient.
Auth0 / Okta Both ship DPoP support for sensitive customer APIs alongside the legacy bearer flow.

On Semicolony

Guide oauth

Sources & further reading

RFC RFC 9449 — OAuth 2.0 Demonstrating Proof of Possession (DPoP)
Docs OAuth.net — DPoP overview

Found this useful?