Stolen access tokens are a serious security risk in modern API architectures – especially when transmitted via HTTP headers from browser to server in single-page applications. DPoP (Demonstrating Proof-of-Possession) addresses this risk by binding access tokens to cryptographic keys, adding an extra layer of protection on top of OAuth2. This makes the integrity of tokens verifiable and provable for all parties involved.

In my talk, I provide a compact introduction to the DPoP concept and answer key questions: What exactly is DPoP and how does it differ from (m)TLS? What prerequisites must client and server meet? What best practices have proven effective and where are potential pitfalls? Using code examples, I demonstrate how DPoP can be implemented in a single-page app with Keycloak as the IdP and an additional API.

You'll gain not only theoretical knowledge about token binding and replay protection, but also see firsthand how simple and effective DPoP works in practice. If you're planning secure API scenarios and want to strengthen your protection against token theft, this talk will give you hands-on answers.