Home / Companies / WorkOS / Blog / Post Details
Content Deep Dive

Sender-constrained tokens: Why mTLS and DPoP exist, and what killed Token Binding

Blog post from WorkOS

Post Details
Company
Date Published
Author
Maria Paktiti
Word Count
1,803
Company Posts That Month
51
Language
English
Hacker News Points
-
Post removed?
No
Summary

Bearer tokens, while convenient, have a vulnerability in that they can be used by anyone who intercepts them, leading to potential security risks such as token leakage and replay attacks. To address this, sender-constraining techniques like Mutual TLS (mTLS) and Demonstrating Proof of Possession (DPoP) have been developed, which bind tokens to specific clients, rendering them useless if intercepted without the corresponding key material. mTLS operates at the transport layer by extending the TLS handshake to include client certificates, making it suitable for environments with existing mutual TLS requirements, although it is not ideal for browser-based applications due to its complexity and certificate management demands. DPoP, on the other hand, functions at the application layer using HTTP headers, allowing for broader deployability across different system architectures, including browsers, as it does not require changes to TLS termination. Token Binding, another proposed solution, failed to gain traction due to its dependency on widespread ecosystem support and its inability to be incrementally deployed, highlighting that practical adoption of security protocols often hinges more on deployability than cryptographic robustness. Consequently, mTLS is recommended for controlled backend environments, while DPoP is preferred for client-side applications where flexibility and ease of integration are necessary.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Zero Trust 1 152 46 28 +67%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.