auth0-dpop

oleh auth0

Use when adding DPoP (Demonstrating Proof-of-Possession) token binding to protect API calls with device-bound, sender-constrained access tokens that cannot be…

npx skills add https://github.com/auth0/agent-skills --skill auth0-dpop

Auth0 DPoP Guide

Bind access tokens to the client's cryptographic key so stolen tokens cannot be replayed.


Overview

What is DPoP?

DPoP (Demonstrating Proof-of-Possession) is an OAuth 2.0 mechanism defined in RFC 9449 that cryptographically binds access tokens to a client-held key pair. Each API request includes a short-lived signed JWT (the DPoP proof) that proves the sender holds the private key — a stolen token alone cannot be replayed by an attacker.

When to Use This Skill

  • Protecting high-value API calls against token theft and replay attacks
  • Meeting security or compliance requirements that mandate sender-constrained tokens
  • Any SPA or Vanilla JS app calling a protected Auth0 API with elevated security needs

When NOT to Use This Skill

  • SSR / server-side environments — DPoP relies on a private key held in the browser; it cannot be safely used server-side (Next.js, Nuxt, etc.)
  • APIs that don't support DPoP — the resource server must be configured to accept DPoP token dialect; Bearer-only APIs will reject DPoP proofs
  • Flows requiring token sharing — DPoP tokens are bound to a single key pair and cannot be forwarded to or reused by another client

Requirements

  • Auth0 tenant with DPoP-capable authorization server
  • API resource server with DPoP token dialect enabled
  • A browser SPA using one of: @auth0/auth0-vue, @auth0/auth0-react, @auth0/auth0-angular, or @auth0/auth0-spa-js
  • HTTPS in production (required by Auth0 for DPoP)

Key Concepts

ConceptDescription
DPoP ProofA short-lived signed JWT attached to each request proving key possession
DPoP NonceA server-issued value that must be included in the proof to prevent replay
useDpop: trueSDK option that enables automatic DPoP proof generation
createFetcher()SDK helper that returns a fetch-compatible function handling proofs automatically
UseDpopNonceErrorError thrown when the server rotates its nonce mid-flight; retry with the new nonce

Step 1: Enable DPoP on Your API

Via Auth0 Dashboard

  1. Go to Applications → APIs
  2. Select the API your SPA calls
  3. Under the Settings tab, confirm the API identifier matches your audience
  4. No additional toggle is needed in the dashboard — DPoP is enabled per-request by the client when the API resource server is configured to accept DPoP tokens

Via Auth0 CLI

# Inspect current resource server settings
auth0 api get "resource-servers" | jq '.[] | select(.identifier == "https://your-api-identifier")'

# Enable DPoP token dialect on the API
auth0 api patch "resource-servers/{API_ID}" \
  --data '{"token_dialect": "access_token_authz"}'

Replace {API_ID} with the ID returned from the GET call above.


Step 2: Configure Your Application

Common pattern across all frameworks

  1. Add useDpop: true to your Auth0 client/provider configuration alongside your audience
  2. Use createFetcher() instead of attaching tokens manually — the SDK handles proof generation, nonce management, and header injection for you
  3. Handle UseDpopNonceError in cases where the server rotates its nonce

Environment variables

Ensure your .env includes the API audience:

# Vite
VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id
VITE_AUTH0_AUDIENCE=https://your-api-identifier

Additional Resources

Framework Examples

Complete implementation examples for all supported frameworks:

  • Vue.js
  • React
  • Angular
  • auth0-spa-js (Vanilla JS)

Integration Guide

Error handling and troubleshooting:

  • UseDpopNonceError — nonce rotation handling
  • Common issues

Related Skills

  • auth0-vue - Vue.js Auth0 integration
  • auth0-react - React Auth0 integration
  • auth0-angular - Angular Auth0 integration
  • auth0-spa-js - Vanilla JS / framework-agnostic SPA integration
  • auth0-mfa - Multi-factor authentication

References

Lebih banyak skill dari auth0

acul-screen-generator
auth0
Menghasilkan implementasi layar Auth0 Advanced Custom Universal Login (ACUL) yang lengkap dan bermerek menggunakan React atau Vanilla JS SDK. Gunakan ketika pengembang meminta untuk…
official
auth0-android-major-migration
auth0
Use when upgrading an Android app's Auth0 SDK (com.auth0.android:auth0) to the next major version. Detects the current version, checks prerequisites, and…
official
auth0-aspnetcore-authentication
auth0
Use when adding cookie-based login, logout, or user profile to an ASP.NET Core MVC, Razor Pages, or Blazor Server web app. Integrates…
official
auth0-branding
auth0
Use when customizing the look of Auth0 Universal Login to match a brand — changing colors, logo, fonts, page layout, or login text. Also use when resetting…
official
auth0-custom-domains
auth0
Use when setting up, verifying, or troubleshooting a custom Auth0 login domain (e.g. login.example.com). Covers CNAME setup, verification, TLS policy, Multiple…
official
auth0-fastify
auth0
Gunakan saat menambahkan autentikasi (login, logout, rute yang dilindungi) ke aplikasi web Fastify - mengintegrasikan @auth0/auth0-fastify untuk autentikasi berbasis sesi. Untuk…
official
auth0-fastify-api
auth0
Gunakan saat mengamankan titik akhir API Fastify dengan validasi token JWT Bearer, pemeriksaan lingkup/izin, atau autentikasi tanpa status - mengintegrasikan @auth0/auth0-fastify-api untuk…
official
auth0-flutter-native
auth0
Use when adding Auth0 login, logout, or biometric-protected credential storage to a Flutter mobile app (iOS or Android). Integrates auth0_flutter on the native…
official