Demonstration of Proof-of-Possession (DPoP) is an application-level security mechanism that binds an OAuth access token to a specific client by requiring the presenter to cryptographically prove possession of a private key. This sender-constraining technique ensures that even if a token is stolen, it cannot be replayed by a different malicious actor.
Glossary
Demonstration of Proof-of-Possession (DPoP)

What is Demonstration of Proof-of-Possession (DPoP)?
An application-level mechanism for sender-constraining OAuth access tokens to prevent unauthorized reuse by attackers.
The client generates a unique DPoP Proof JWT for each HTTP request, embedding the public key thumbprint and signing it with the corresponding private key. The resource server validates this proof against the token's binding, effectively neutralizing token replay attacks and token theft in agentic communication chains.
Core Characteristics of DPoP
Demonstration of Proof-of-Possession (DPoP) is an application-level mechanism that binds an OAuth access token to a specific client instance using asymmetric cryptography, preventing stolen tokens from being replayed by unauthorized parties.
Asymmetric Key Binding
DPoP cryptographically binds an access token to a public-private key pair held by the client. The client generates a DPoP Proof JWT signed with its private key, which the resource server validates against the public key embedded in the proof. This ensures that even if a token is exfiltrated via a Man-in-the-Middle (MITM) attack, it cannot be replayed without access to the private key.
Nonce-Based Replay Prevention
To prevent an attacker from capturing and reusing a valid DPoP proof within its validity window, the protocol employs a server-issued nonce (a unique, single-use cryptographic number). The resource server can challenge the client with a fresh nonce via a DPoP-Nonce header, requiring the next proof to incorporate it. This makes every proof effectively single-use and resistant to replay.
Token-Proof Binding via 'ath' Claim
The DPoP proof contains an ath (access token hash) claim, which is the SHA-256 hash of the access token value. This creates a direct cryptographic linkage between the proof and the specific token it is authorizing. The resource server verifies this hash to confirm the proof was generated for that exact token, preventing an attacker from using a valid proof with a different stolen token.
Full Duplex API Protection
DPoP is designed to protect all standard HTTP methods used in API communication. The proof must include the full target URI and the HTTP method (e.g., POST, GET) in its claims. This prevents a captured proof intended for a read-only GET /api/status endpoint from being maliciously replayed against a destructive DELETE /api/agents endpoint, a classic Confused Deputy Problem mitigation.
Public Key Confirmation (RFC 7800)
DPoP leverages the RFC 7800 framework for Proof-of-Possession Key Semantics. The authorization server binds the client's public key to the issued access token, often embedding a cnf (confirmation) claim containing the JWK Thumbprint. This allows resource servers to independently verify that the presenter of the token is the same entity that authenticated to the authorization server, establishing a strong Workload Identity.
Stateless Server Validation
Resource servers do not need to maintain a session state for DPoP validation. They verify the proof's signature using the embedded public key (jwk), check the ath claim against the presented token, and validate the nonce. This statelessness makes DPoP highly scalable for distributed Zero Trust Architectures (ZTA) where centralized token introspection is a bottleneck.
Frequently Asked Questions About DPoP
Demonstration of Proof-of-Possession (DPoP) is a critical application-level security mechanism designed to bind OAuth access tokens to a specific client instance. By requiring the presenter to cryptographically prove ownership of a private key, DPoP mitigates token replay and theft in agentic communication chains.
Demonstration of Proof-of-Possession (DPoP) is an application-level sender-constraining mechanism for OAuth 2.0 tokens. It works by requiring the client to generate an asymmetric public/private key pair and then embed the public key's thumbprint into a DPoP Proof JWT. When presenting an access token to a resource server, the client must simultaneously send this proof, signed by the corresponding private key. The resource server validates the signature and confirms that the ath (access token hash) claim within the proof matches the presented token. This cryptographically binds the token to the specific client that holds the private key, rendering stolen tokens useless to an attacker who cannot produce a valid proof signature. Unlike Mutual TLS (mTLS), which operates at the transport layer, DPoP functions purely at the application layer, making it ideal for single-page applications and mobile agents that cannot manage client certificates.
DPoP vs. Bearer Tokens vs. mTLS
Comparing application-layer proof-of-possession with bearer tokens and transport-layer mutual authentication for securing agent-to-agent communication.
| Feature | DPoP | Bearer Tokens | mTLS |
|---|---|---|---|
Security Layer | Application (HTTP) | Application (HTTP) | Transport (TLS) |
Proof of Possession | |||
Replay Attack Resistance | |||
Token Theft Mitigation | |||
Sender Constraining | |||
Requires Client Certificate | |||
Non-Repudiation | |||
Works Through Proxies/LBs |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts and complementary technologies that form the foundation for sender-constrained token security in autonomous agent architectures.
OAuth 2.0 Token Binding
The foundational authorization framework that DPoP extends. Standard OAuth 2.0 bearer tokens are vulnerable to replay because any party possessing the token can use it. DPoP addresses this by cryptographically binding the token to a specific client's private key, ensuring that even if a token is intercepted, it cannot be used by an attacker who lacks the corresponding key material.
JSON Web Token (JWT) Structure
DPoP proof tokens are themselves JWTs with specific claims that enforce sender-constraint. Key claims include:
- jti: Unique nonce preventing replay of the proof itself
- htm: The HTTP method of the request being authorized
- htu: The exact URL being accessed
- ath: Hash of the bound access token This structure ensures each proof is single-use and tightly coupled to a specific request.
Nonce Management
A critical anti-replay mechanism in DPoP. The authorization server issues a unique DPoP-Nonce that clients must include in subsequent proof tokens. Servers track used nonces and reject proofs containing previously-seen values. This prevents attackers from capturing and reusing valid DPoP proofs, even within their short validity window. Proper nonce lifecycle management is essential for maintaining proof freshness.
Public Key Infrastructure (PKI)
While DPoP reduces dependency on traditional PKI compared to mTLS, it still relies on asymmetric cryptography. Clients generate ephemeral or persistent key pairs and register the public component with the authorization server. The server validates that proofs are signed by the corresponding private key. This creates a cryptographic binding between the token and the client without requiring certificate authorities.
Token Replay Attack Mitigation
DPoP directly addresses the threat model where an attacker intercepts a valid access token from network traffic or compromised storage. Without proof-of-possession, a stolen bearer token grants immediate unauthorized access. DPoP renders stolen tokens useless because the attacker cannot produce a valid proof signed with the legitimate client's private key, effectively neutralizing man-in-the-middle interception and token exfiltration attacks.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us