Term · 28. International Regulations

DPoP (Demonstration of Proof of Possession) DPoP

Technology Source: IETF DPoP

AuthN Standards IETF / RFC Introduced by: Big4 (Deloitte / PwC / EY / KPMG)

Definition

Demonstration of Proof-of-Possession — IETF RFC 9449, OAuth 2.0 mechanism binding an access token to a private key held by the client. Each API request includes a DPoP-signed proof header demonstrating possession of the corresponding private key. Mitigates token theft attacks — stolen bearer tokens are useless without the key. Defended baseline in FAPI 2.0 and emerging AI agent authorization patterns.

Synonyms

Demonstration of Proof of Possession
Sender-constrained tokens

Application: Regulatory: IETF RFC (e.g., 7519 JWT, 6749 OAuth 2.0)

Standards & regulations

IETF

Sources

OAuth 2.0 DPoP — RFC 9449 primary source

Related terms

Kerberos

Network authentication protocol developed at MIT (Kerberos v5: IETF RFC 4120, 2005) using symmetric-key cryptography and …
OpenID Connect (OIDC)

Identity layer on top of OAuth 2.0 (OpenID Foundation, OIDC Core 1.0). Provides standardized authentication via JWT ID t …
Public Key Infrastructure (PKI)

Public Key Infrastructure (PKI) — distributed system of services, components, and policies supporting cryptographic oper …
FAPI 2.0 (Financial-grade API) (FAPI 2.0)

OpenID Foundation Financial-grade API Security Profile 2.0 — high-security authorization profile for financial APIs (ope …
mTLS (mutual TLS) (mTLS)

Mutual TLS — both client and server authenticate each other via certificates during TLS handshake. RFC 8705 specifies OA …
OAuth 2.1 (OAuth 2.1)

IETF draft consolidating OAuth 2.0 (RFC 6749) with security best practices and deprecating insecure patterns: removes im …

← Back to glossary · Open in main list