Sender constraining tokens using Demonstrating Proof-of-Possession (DPoP) is currently in Early Access. To request access to this feature, contact your Auth0 representative.
Sender constraining is an and Connect (OIDC) security mechanism that cryptographically binds access and to the specific client application that obtained them, preventing token theft and misuse. Auth0 supports mTLS sender constraining and Demonstrating Proof-of-Possession (DPoP). If you enable sender constraining for a client application, then you must also enforce it for the you’re making API calls to. To configure sender constraining in Auth0, you must:

How it works

are sender constrained in Auth0 depending on how you configure sender constraining for your client application and resource server:
  1. Requested audience: In a token request, whether the requested audience is /userinfo only, or only intended to be used with the /userinfo endpoint, or is a custom API that may include /userinfo when you also request the openid scope, affects whether access tokens are sender constrained.
  2. Client application: Whether you set sender constraining as required by the client application.
  3. Resource server: Whether you configure sender constraining for the resource server:
    1. none: You have not configured sender constraining for the resource server.
    2. allowed: You have configured sender constraining for the resource server by setting a sender constraining method.
    3. required: You have configured sender constraining as required for the resource server, meaning that access tokens must be sender-constrained to an application. Requires a sender constraining method.
  • Proof-of-Possession: Whether the client application sent a proof-of-possession assertion in the token request:
    • mTLS sender constraining: The proof of possession is demonstrated through the client’s successful presentation of a specific private key (associated with a client certificate) during the TLS handshake.
    • DPoP: The proof of possession is achieved by the client creating a DPoP Proof JWT by cryptographically signing it with its private key and including the DPoP Proof JWT in the DPoP HTTP header of every request where the associated access token is used.
The following table describes how access tokens are issued and whether they are sender-constrained based on various client request parameters and Auth0 resource server configurations:
Requested Audience TypeClient Requires PoP?Proof-of-Possession (PoP) Sent by Client?Auth0 Resource Server Policy: NoneAuth0 Resource Server Policy: Allowed (Not Required)Auth0 Resource Server Policy: Required
Userinfo OnlyNoNoIssued, Not Sender-ConstrainedN/AN/A
Userinfo OnlyNoYesIssued, Sender-ConstrainedN/AN/A
Userinfo OnlyYesNoNot IssuedN/AN/A
Userinfo OnlyYesYesIssued, Sender-ConstrainedN/AN/A
Custom Audience (may contain Userinfo)NoNoIssued, Not Sender-ConstrainedIssued, Not Sender-ConstrainedNot Issued
Custom Audience (may contain Userinfo)NoYesIssued, Not Sender-ConstrainedIssued, Sender-ConstrainedIssued, Sender-Constrained
Custom Audience (may contain Userinfo)YesNoNot IssuedNot IssuedNot Issued
Custom Audience (may contain Userinfo)YesYesNot IssuedIssued, Sender-ConstrainedIssued, Sender-Constrained

Configure sender constraining for a client application

When you require sender constraining for a client application, access tokens are constrained to that application. Auth0 verifies requests to ensure that only the application that requested the token can use it to access the associated resource. Once you configure a client application to require sender constraining, you can set the sender constraining method, either mTLS or DPoP, when configuring your resource server. You can configure sender constraining for a client application with the or .
  1. Go to Dashboard > Applications > Applications. Select the application you want to configure.
  2. Under Settings, scroll to Token Sender-Constraining.
  3. Toggle on to Require Sender Constraining. Toggle off to remove the requirement for Sender Constraining for the application.

Configure sender constraining for a resource server

Access tokens issued by Auth0 can be constrained to the sender (i.e. the client application) that needs to access APIs at a resource server. You can configure sender constraining for a resource server with the Auth0 Dashboard or Management API.
To enable Token Binding or sender constraining, configure the API Settings of your API.
  1. Navigate to Auth0 Dashboard > Applications > APIs.
  2. Select the API you want to configure.
  3. Under the Settings tab, find the Token Sender-Constraining section.
  4. Configure the following:
    1. Sender Constraining Method:
      1. None: Don’t enable a sender constraining method for your resource server.
      2. mTLS: Enable mTLS as the sender constraining method for your resource server.
      3. DPoP: Enable DPoP as the sender constraining method for your resource server.
B. Toggle on Require Token Sender Constraining. All access tokens issued to an application for this API will be constrained to that application.
Auth0 Dashboard > APIs > Settings > Token binding