In modern API architectures, stolen tokens are one of the biggest security vulnerabilities, especially when they are transmitted from the browser to the server in HTTP headers in single-page applications. DPoP (Demonstrating Proof-of-Possession) addresses this risk by binding access tokens to cryptographic keys, thus adding an additional layer of protection over OAuth2 and making the integrity of the tokens verifiable and provable for all parties involved.

In my talk, I will give a compact introduction to the DPoP concept and answer key questions: What exactly is DPoP and how does it differ from (m)TLS? What requirements must the client and server fulfil in order to be able to use DPoP? Which best practices have proven themselves in practice and what are the potential pitfalls? Using a live demo, I will show you how DPoP can be used and implemented in a single-page app with Keycloak and an additional API.

You will not only get theoretical knowledge about token binding and replay protection, but also see directly how easily and effectively DPoP works in practice. If you are planning secure API scenarios and want to increase your protection against token theft, this talk will provide you with practical answers and a live implementation to take with you.