Demonstrating Proof of Possession
DPoP.
An OAuth 2.0 extension (RFC 9449) that binds an access or refresh token to a client-held cryptographic key, defeating bearer-token theft.
DPoP is recommended for high-security flows (FAPI, banking, fintech) and increasingly common for any deployment where bearer-token theft is a realistic threat. Adoption in browser-based applications grew through 2024–2026 as more CIAM platforms shipped DPoP support. Curity, Auth0 (Enterprise), Ory Hydra, and several others ship DPoP; lighter CIAM typically don't.
Common questions
Is DPoP required by OAuth 2.1?
How does DPoP compare to mTLS?
Which CIAM platforms support DPoP?
Related terms
In the guides
Account Takeover Defense: A Layered Approach for 2026
ATO is the single largest CIAM threat in 2026. The defense stack is layered, credential stuffing protection, MFA, session management, and recovery design, each addressing a different attack class.
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.