DPoP and sender-constrained tokens: are your controls ready?

TL;DR: DPoP, standardised in RFC 9449, binds OAuth tokens to a client-held key and requires a fresh proof JWT on each request, making stolen bearer tokens unusable without the matching private key, according to WorkOS. That changes token theft from a simple replay problem into a key custody and proof-validation problem that IAM, NHI, and agentic OAuth designs now have to account for.

NHIMG editorial — based on content published by WorkOS: DPoP explained and how sender-constrained OAuth tokens change token theft risk

By the numbers:

• AI-related credential leaks surged 81.5% year-over-year in 2025, with the surrounding AI infrastructure leaking 5x faster than core LLM providers.
• 64% of valid secrets leaked in 2022 are still valid and exploitable today, proving that detection alone is not enough without automated revocation.
• 44% of NHI tokens are exposed in the wild, being sent or stored over platforms like Teams, Jira tickets, Confluence pages, and code commits.

Questions worth separating out

Q: How should security teams govern sender-constrained OAuth tokens for public clients?

A: They should treat sender constraining as a mandatory design control for any client that can leak bearer tokens, especially browsers, mobile apps, and AI agents.

Q: When does DPoP add more value than bearer-token rotation alone?

A: DPoP adds more value when token theft is plausible through logs, extensions, proxies, or script execution, because rotation still assumes the attacker can use the token until it expires.

Q: What breaks if browser private keys are stored badly for DPoP?

A: If the key is extractable or stored as plain text, an attacker who gains client-side access can exfiltrate the proofing key and turn DPoP into ordinary bearer-token risk again.

Practitioner guidance

• Map every public OAuth client to a sender-constraining decision Classify SPAs, mobile apps, and agent-facing clients separately from confidential server-to-server apps, then decide where DPoP or mTLS is required before token issuance is allowed.
• Store browser private keys as non-extractable Web Crypto objects Persist CryptoKey pairs in IndexedDB, not localStorage, and verify that the signing key cannot be exported even if JavaScript execution is compromised.
• Validate replay, nonce, and audience checks at the resource layer Require htm, htu, ath, jti, and nonce validation on every protected endpoint so a stolen token cannot be replayed across requests or services.

What's in the full article

WorkOS's full article covers the implementation detail this post intentionally leaves for the source:

• Walkthrough of the DPoP proof JWT structure, including htm, htu, ath, jti, and iat checks.
• Browser and mobile key-storage patterns for non-extractable private keys and nonce handling.
• Server-side validation steps for authorization servers and resource servers, including replay detection.
• Where DPoP fits next to mTLS, PKCE, PAR, OAuth 2.1, and MCP in public-client hardening.

👉 Read WorkOS's explanation of DPoP sender-constrained OAuth tokens →

DPoP and sender-constrained tokens: are your controls ready?

Explore further

View Full Forum →  |  NHI Foundation Course →