Demonstration of Proof-of-Possession (DPoP) is an OAuth extension where a client proves ownership of a private key by generating a signed JSON Web Token (JWT) that is bound to a specific access token and HTTP request. Unlike Mutual TLS (mTLS) which secures the transport layer, DPoP operates at the application layer, allowing the proof to traverse reverse proxies and load balancers without terminating the cryptographic binding. The client creates a DPoP proof JWT containing a unique jti claim, the htm (HTTP method), and the htu (HTTP URI) of the request, then signs it with its private key.
Glossary
DPoP

What is DPoP?
Demonstration of Proof-of-Possession (DPoP) is an application-level mechanism that cryptographically binds an OAuth 2.0 access token to a specific client, mitigating token replay attacks in agent-to-agent communication.
The authorization server validates the DPoP proof and embeds the hash of the client's public key into the issued access token, creating a non-exportable binding. For every subsequent resource request, the client must present both the access token and a fresh DPoP proof signed by the same key. This prevents a stolen token from being replayed by an unauthorized party, as the attacker cannot generate a valid proof without the corresponding private key. DPoP is critical for Zero Trust Architecture in agent meshes, ensuring that even if a Workload Identity token is exfiltrated, it remains cryptographically useless to an impersonator.
Key Features of DPoP
DPoP (Demonstration of Proof-of-Possession) is an application-level security mechanism that cryptographically binds an OAuth 2.0 access token to a specific client instance, preventing token replay and theft in agentic communication networks.
Cryptographic Key Binding
DPoP introduces a proof-of-possession layer that binds an access token to an asymmetric key pair held exclusively by the client. The client generates a DPoP proof JWT signed with its private key, embedding the token's hash (ath claim) and a unique nonce. This ensures that even if a bearer token is exfiltrated, it cannot be replayed by an attacker who does not possess the corresponding private key.
- Uses asymmetric cryptography (RSA or EC keys)
- Embeds the access token hash in the
athclaim - Prevents token replay attacks across different TLS connections
Nonce-Based Replay Prevention
DPoP employs a server-issued nonce to prevent proof replay within the token's validity window. When a resource server receives a DPoP proof, it validates the nonce and may issue a fresh one via the DPoP-Nonce HTTP header. The client must use the most recent nonce in subsequent requests, creating a monotonically advancing sequence that makes captured proofs immediately stale.
- Server controls nonce lifecycle via
DPoP-Nonceheader - Prevents proof replay even within token TTL
- Enables stateless validation with short-lived nonces
Request URI and Method Binding
Each DPoP proof is scoped to a specific HTTP request by embedding the target URI (htu claim) and HTTP method (htm claim) directly in the signed JWT. This prevents an intercepted proof from being redirected to a different endpoint or upgraded to a more privileged method. The binding creates a cryptographic coupling between the proof, the token, and the exact operation being authorized.
htuclaim: exact target URI (scheme, host, path, query)htmclaim: HTTP method (GET, POST, PUT, DELETE)- Prevents cross-endpoint replay and method escalation
DPoP Proof JWT Structure
The DPoP proof is a signed JWT with a well-defined structure. The header includes the public key (jwk) and signing algorithm (typ: dpop+jwt). The payload contains mandatory claims: jti (unique ID), htm (HTTP method), htu (target URI), iat (issued-at timestamp), and optionally ath (access token hash). The signature proves possession of the private key without revealing it.
- Header:
{ "typ": "dpop+jwt", "alg": "ES256", "jwk": {...} } - Payload:
jti,htm,htu,iat,ath(optional) - Self-contained proof requiring no server-side key storage
DPoP vs. mTLS Comparison
While both DPoP and Mutual TLS (mTLS) provide proof-of-possession, they operate at different layers. mTLS binds tokens to the transport layer, requiring certificate management infrastructure. DPoP operates at the application layer, making it suitable for multi-hop architectures, mobile apps, and scenarios where TLS termination occurs at a load balancer. DPoP proofs survive TLS termination and can traverse API gateways.
- DPoP: application layer, survives TLS termination
- mTLS: transport layer, requires end-to-end TLS
- DPoP is SPA and mobile-friendly without client certificates
Agentic Communication Security
In multi-agent systems, DPoP provides a critical security layer for inter-agent communication. When Agent A delegates a task to Agent B, DPoP ensures that only Agent B—the legitimate key holder—can wield the delegated token. This prevents agent impersonation attacks and unauthorized token forwarding in agent mesh networks. Combined with SPIFFE workload identities, DPoP creates end-to-end cryptographic accountability across agent chains.
- Prevents token forwarding between unauthorized agents
- Binds delegated authority to a specific agent instance
- Integrates with SPIFFE for workload identity attestation
Frequently Asked Questions
Explore the mechanics, security properties, and implementation details of Demonstration of Proof-of-Possession (DPoP), a critical application-layer security mechanism for binding OAuth access tokens to a specific client key.
Demonstration of Proof-of-Possession (DPoP) is an application-level security mechanism defined by the IETF that allows an OAuth 2.0 client to cryptographically prove ownership of a private key when presenting an access token to a resource server. Unlike standard Bearer tokens, which can be used by any party that possesses them, a DPoP-bound token is useless without the corresponding private key.
- The Mechanism: The client generates an asymmetric key pair. For each HTTP request, it creates a DPoP proof—a JSON Web Token (JWT) signed with its private key. This JWT contains a unique
jti(nonce), the HTTP method, the request URL, and optionally a server-provided nonce to prevent replay. - The Binding: The proof is sent in a
DPoPHTTP header alongside the access token. The resource server validates the proof's signature against the public key embedded in the JWT header (jwk) and confirms the token is bound to that key via thecnf(confirmation) claim in the access token's introspection response.
This effectively upgrades a simple bearer token to a sender-constrained token, mitigating token replay and exfiltration attacks in agentic mesh networks.
DPoP vs. mTLS vs. Token Binding
Comparison of three distinct approaches to binding an access token to a client's cryptographic identity to prevent token replay and theft.
| Feature | DPoP | mTLS | Token Binding |
|---|---|---|---|
OSI Layer | Application (HTTP) | Transport (TLS) | Application (HTTP) |
Binding Target | Access token + request | TLS connection | Token + TLS channel |
Cryptographic Proof | Asymmetric key signature (JWS) | X.509 certificate handshake | Exported Keying Material (EKM) |
Termination Resilience | |||
Requires Client Certificate | |||
Standardization Status | RFC 9449 (Proposed Standard) | RFC 8446 (TLS 1.3) | RFC 8471-8473 (Deprecated) |
Browser Support | Service Workers only | Native support | Removed from Chrome |
Token Replay Prevention | Nonce-based freshness | Connection-bound | Channel-bound |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the foundational protocols and architectural patterns that complement DPoP to establish cryptographically verifiable identity and secure channels in autonomous agent mesh networks.
Token Binding
A mechanism to cryptographically bind application-layer bearer tokens to a TLS connection, preventing token export and replay attacks. While DPoP binds a token to a specific public key, Token Binding binds it to the underlying transport layer. This creates a layered defense: if an attacker steals a DPoP-bound token, they still cannot use it without the private key; if they bypass the application layer, the token remains bound to the original TLS channel, rendering it useless in a different session.
Mutual TLS (mTLS)
A mutual authentication protocol where both client and server present X.509 certificates to establish a bidirectional trusted, encrypted channel. Unlike DPoP, which operates at the application layer, mTLS secures the transport layer itself. In agentic systems, mTLS is often used alongside DPoP to provide defense-in-depth: mTLS authenticates the workload identity at the network level, while DPoP proves possession of a key bound to the specific OAuth access token.
Confidential Computing
A hardware-based security paradigm that protects data in use by performing computation within a Trusted Execution Environment (TEE). In the context of DPoP, confidential computing ensures that the private key used for proof-of-possession never leaves the secure enclave. Even if the host operating system is compromised, the key material remains isolated. Remote Attestation provides a verifiable proof that the DPoP signing key is held within a genuine TEE.
Zero Trust Architecture
A security model that eliminates implicit trust and requires continuous verification of every access request. DPoP is a critical enforcement mechanism within a Zero Trust fabric for agent-to-agent communication. It ensures that even if an agent is inside the network perimeter, it must continuously prove possession of a cryptographic key. The Policy Enforcement Point (PEP) validates the DPoP proof alongside the access token before allowing inter-agent API calls.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us