Sender constrained tokens using DPoP is now available in Early Access.

We are delighted to announce that support for sender constraining tokens using Demonstrating Proof of Possession (DPoP) is now available in Early Access.

Demonstrating Proof of Possession (DPoP) as defined in RFC9449, is an application level mechanism for binding tokens issued by Auth0 to the client application that requested that token. This is implemented using asymmetric key cryptography and with keys that are generated and managed by the client application - no public key infrastructure (PKI) is required.

Sender constraining tokens using DPoP can be used to mitigate the risk of tokens being used by unauthorised parties if they are intercepted in transit or exfiltrated from applications. This helps to:

• enhance security by mitigating against token theft and misuse by unauthorised parties
• improve user experience by being able to use longer-lived access tokens without significantly increasing security risk i.e. not requiring frequent user authentication

Auth0 will be rolling out SDK support for DPoP for native applications, single page applications, backend server APIs, and Auth0 management:

• SDKs for iOS Swift and Android Kotlin are available now.
• SDKs for Javascript, React, Python and more are coming soon.

To evaluate DPoP for securing your tokens, contact your Auth0 representative. For more details, check out our product documentation.