ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OAuth MTLS Sender Constrained Tokens

RFC 8705 mTLS bound access tokens.

Definition

mTLS client authentication at the token endpoint uses X.509 client certificate presented during TLS handshake. Issued access token contains cnf (confirmation) with x5t#S256 (SHA-256 cert thumbprint). Resource Server verifies that the cert presented during mTLS of the request matches cnf. Alternative to DPoP for token binding, simpler implementation but requires mTLS everywhere.

Origin

IETF OAuth WG, RFC 8705 published February 2020.

Usage

Widely adopted in UK Open Banking FAPI 1.0 Advanced, Brazil Open Finance, regulated financial sectors.

Related terms

  • mTLS — mécanisme sous-jacent.
  • OAuth DPoP — alternative application layer.
  • FAPI 1.0 — profil utilisateur.

Last updated: May 18, 2026