Token Binding.
A defunct IETF standard (RFC 8471-8473) for binding HTTP authentication tokens to the TLS connection that issued them — superseded in practice by mTLS-bound tokens (RFC 8705) and DPoP (RFC 9449).
The Token Binding story is the cautionary tale for protocols that require coordinated browser, server, and library support to deploy. The technical design was right; the deployment economics — browsers had to ship support for an unproven security model with no immediate users — produced a fatal coordination failure. RFC 8705 and RFC 9449 learned the lesson: lighter integration burden on existing infrastructure, deployable incrementally per OAuth client.
Common questions
Is Token Binding still used in 2026?
What replaced Token Binding?
Why did Token Binding fail to gain adoption?
Related terms
In the guides
mTLS Explained: Mutual TLS for Service Identity and API Authentication
Mutual TLS authenticates both sides of the connection. How it works for service-to-service, where SPIFFE/SPIRE fits, and the cert-management pitfalls that bite.
OAuth 2.1 Explained: What Changed and Why It Matters
OAuth 2.1 consolidates fifteen years of OAuth 2.0 practice into a single coherent specification. What it deprecates, what it requires, and how to migrate existing OAuth 2.0 code.