Sender constrained tokens using DPoP is now Generally Available on Enterprise plans.

Support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now generally available on Enterprise plans.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens in this way using DPoP helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Additional features since the EA release includes replay protection against client applications sending repeated DPoP proofs, and the ability to require DPoP for public clients only, or all clients.

A number of Auth0 SDKs have shipped with support for DPoP:

• Authentication SDKs supporting DPoP for client applications: auth0-spa-js, auth0-react, auth0-angular, nextjs-auth0, auth0-flutter, Auth0.Swift and Auth0.Android
• Authentication SDKs supporting DPoP for APIs/Resource Servers:express-oauth2-jwt-bearer, auth0-api-js, auth0-api-python, aspnetcore-api
• Management SDKs supporting DPoP configuration: terraform-provider, go-auth0,deploy-cli, node-auth0, auth0.net

For more details, see the product documentation.