A Proof-of-Possession (PoP) token is a security artifact that requires the presenter to demonstrate possession of a specific cryptographic key in addition to presenting the token itself. Unlike a standard Bearer token, which can be used by any party that obtains it, a PoP token is intrinsically bound to a client's private key. The DPoP (Demonstration of Proof-of-Possession) specification, standardized by the IETF, formalizes this by requiring the client to sign a unique nonce and timestamp with its private key, embedding the resulting signature directly into the access request.
Glossary
Proof-of-Possession Token

What is a Proof-of-Possession Token?
A Proof-of-Possession token is a security mechanism that cryptographically binds an access token to a specific client, preventing a stolen token from being replayed by an unauthorized attacker.
This mechanism neutralizes token replay and exfiltration attacks. Even if an attacker intercepts the access token, they cannot use it without also possessing the corresponding private key, which is typically stored in a secure hardware enclave or TPM. In the context of Secure Model Serving, PoP tokens ensure that only the authenticated client instance that originally obtained the authorization can invoke an inference endpoint, providing a critical defense-in-depth layer against API token theft and unauthorized model extraction.
Key Features of Proof-of-Possession Tokens
Proof-of-Possession (PoP) tokens, such as DPoP, add a critical security layer by cryptographically binding an access token to a specific client instance, rendering stolen tokens useless to an attacker.
Asymmetric Key Binding
The client generates a public/private key pair and embeds the public key directly into the token request. The resulting access token is cryptographically bound to this key. Every subsequent API call must include a DPoP proof—a signature created by the corresponding private key over the request details. This proves the sender possesses the private key without ever transmitting it.
Replay Attack Prevention
A standard Bearer token can be used by anyone who intercepts it. A PoP token is useless without the private key. The DPoP proof includes a unique nonce and a timestamp within the signed payload. The resource server tracks used nonces, ensuring that even a validly signed proof cannot be captured and replayed in a subsequent request.
Request Context Integrity
The DPoP proof signature covers critical request metadata, creating a strong binding to the specific action:
- htm: The HTTP method (e.g., POST)
- htu: The exact target URI (e.g., /v1/inference/model-a)
- ath: The hash of the associated access token This prevents a token from being used against a different endpoint or with a different method than originally intended.
Token Exfiltration Resilience
In a Bearer token architecture, a compromised log file or a man-in-the-middle proxy can leak a token, leading to immediate account takeover. With PoP tokens, the attacker obtains only the access token string, not the private key. Without the ability to sign the required DPoP proof for each request, the stolen artifact is cryptographically inert and cannot be used to access protected resources.
Server-Nonce Hardening
To prevent pre-computed proof attacks, the authorization server can issue a server-chosen nonce that the client must include in subsequent proofs. This challenges the client to demonstrate real-time possession of the private key. If a proof lacks the correct server nonce, the resource server rejects it with a use_dpop_nonce error, forcing the attacker to restart the handshake without the key.
Token Type Differentiation
PoP tokens are explicitly typed as DPoP in the token response, distinguishing them from standard Bearer tokens. The resource server enforces this type check: an endpoint configured for PoP will reject a Bearer token outright. This prevents token type confusion attacks where a downgrade from PoP to Bearer is attempted to bypass the proof-of-possession requirement.
Frequently Asked Questions
Clear answers to common questions about cryptographically binding access tokens to specific clients to prevent token replay and theft.
A proof-of-possession (PoP) token is a security token that cryptographically binds an access token to a specific client, preventing a stolen token from being replayed by an unauthorized attacker. Unlike a standard bearer token, which grants access to anyone who possesses it, a PoP token requires the presenter to demonstrate possession of a private key that corresponds to a public key embedded within the token itself. The mechanism works by having the client generate an asymmetric key pair, embed the public key into the token request, and then sign every subsequent API request with the corresponding private key. The resource server verifies this signature against the embedded public key, ensuring the request originates from the legitimate client and not an attacker who intercepted the token. This binding effectively neutralizes token exfiltration attacks, making PoP tokens essential for securing high-value model serving endpoints and inference APIs.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts that form the foundation of proof-of-possession token architectures, preventing token replay and misuse in machine-to-machine API communication.
Bearer Token vs. Sender-Constrained Token
A bearer token grants access to any party that possesses it, making it vulnerable to replay if intercepted. A sender-constrained token cryptographically binds the token to a specific client, rendering it useless if stolen.
- Bearer tokens rely solely on transport security (TLS) for protection
- Sender-constrained tokens add a second factor: proof of possession of a cryptographic key
- The
cnf(confirmation) claim in a JWT encodes the key material the client must demonstrate possession of - Critical for zero trust architectures where network location is not trusted
Token Replay Attack Prevention
Proof-of-possession tokens defend against replay attacks by binding the token to a nonce (number used once) and specific request parameters. Even if an attacker intercepts the token and proof, they cannot reuse them.
- The server issues a fresh nonce that the client must include in the DPoP proof
- The
htmandhtuclaims bind the proof to a single HTTP request - Server maintains a short-lived replay cache of recently used nonces
- Contrast with bearer tokens, which an attacker can replay within the token's validity window

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us