OAUTH-DPOP
OAuth token bound to client public key.
Definition
DPoP introduces DPoP-Proof JWT signed by client key on each request, containing htu (URL), htm (method), iat, jti. The resolver verifies binding to token via jkt header. Adopted by OpenID Connect FAPI 2.0 (financial-grade API).
Origin
IETF OAuth WG draft since 2019 ; RFC 9449 published September 2023.
Example in context
A bank issues a DPoP-bound access token — even if exfiltrated, it is unusable without the client private key.
Related terms
- OAuth 2.1 — integration context.