1. Overview

Youforce API support DPoP (Demonstrating Proof of Possession), an advanced security mechanism that helps to prevent token theft and replay attacks by cryptographically binding access tokens to a specific client instance.

2. How DPoP Works with Our APIs

When is DPoP utilized:

  1. Client-Side Key Pair: Your application generates a unique public/private key pair.
  2. DPoP Proof JWT: For API requests requiring DPoP, your client creates a DPoP proof JWT. This JWT is signed with your private key and includes information about the HTTP request it’s accompanying.
  3. Authentication header: The Authentication HTTP header is still required, handled in the way as if the DPoP is not used.
  4. API Request: The DPoP proof JWT is sent in the DPoP HTTP header alongside the access token in the Authorization header.
  5. Server-Side Validation: Youforce API validates the DPoP proof, ensuring the access token is being used by the legitimate “possessor” of the cryptographic key.

3. Client Implementation Responsibilities

To integrate with DPoP, clients must handle the following:

  • Key Pair Generation: Securely generate and manage the public/private key pair used for signing DPoP proofs.
  • DPoP Proof JWT Generation: Implement the logic to create well-formed DPoP proof JWTs as per RFC 9449. This includes signing the JWT with the private key and including necessary claims (e.g., htu, htm, jti).

Please Note: We do not currently offer tools or libraries for client-side key pair generation or DPoP proof JWT creation. This implementation is the responsibility of the client application.

4. Integration Support

Although the client-side setup is your responsibility, our team is committed to assisting you. If you require support or have questions during your DPoP integration, please don’t hesitate to contact us.

To avoid duplicating extensive documentation, we strongly recommend reviewing these resources for a thorough understanding and implementation guidance: