ediverse Explore the platform

Spotlight PEPPOL BIS Billing 3.0 The EU e-invoicing mandate is here — France Sept 2026, Belgium Jan 2026, Germany 2025.

OAuth DPoP detail

RFC 9449 application-layer token-binding.

Definition

DPoP uses DPoP HTTP header with signed JWT including htm (HTTP method), htu (HTTP URI), iat (timestamp), jti (unique ID), public key in JWK header. Authorization server issues access token containing cnf (confirmation) with thumbprint of the public key, bound to the DPoP proof. RS validates the DPoP JWT on each request.

Origin

IETF OAuth WG, draft 2019, RFC 9449 published September 2023.

Usage

Adopted by FAPI 2.0, banks Open Banking (UK Open Banking 4.0, FAPI 2.0 implementations). Legacy alternative to mTLS Sender-Constrained Tokens.

Related terms

Last updated: May 18, 2026