Bearer tokens, commonly used to restrict access to protected resources, pose security risks as they can be misused if stolen or leaked. To mitigate these vulnerabilities, proof-of-possession (PoP) tokens or sender-constrained tokens are introduced, ensuring that only the original client or entity can use them. Two methods for enforcing PoP are mTLS-based proof of possession and asymmetric cryptography-based DPoP (Demonstrating Proof-of-Possession). mTLS involves binding tokens to client certificates, requiring the same certificate for access validation, while DPoP uses asymmetric cryptography and JSON Web Tokens (JWTs) to bind tokens to a client's public key, requiring proof of private key possession. Kong Gateway Enterprise 3.7 supports both methods, enhancing security by demanding proof of possession, thereby making unauthorized token use more difficult. DPoP is particularly advantageous for public clients like single-page applications due to its ease of implementation without relying on a PKI infrastructure, making it suitable for environments with stringent security needs, such as financial-grade APIs.