Sender-constrained tokens: Why mTLS and DPoP exist, and what killed Token Binding

Bearer tokens, while convenient, have a vulnerability in that they can be used by anyone who intercepts them, leading to potential security risks such as token leakage and replay attacks. To address this, sender-constraining techniques like Mutual TLS (mTLS) and Demonstrating Proof of Possession (DPoP) have been developed, which bind tokens to specific clients, rendering them useless if intercepted without the corresponding key material. mTLS operates at the transport layer by extending the TLS handshake to include client certificates, making it suitable for environments with existing mutual TLS requirements, although it is not ideal for browser-based applications due to its complexity and certificate management demands. DPoP, on the other hand, functions at the application layer using HTTP headers, allowing for broader deployability across different system architectures, including browsers, as it does not require changes to TLS termination. Token Binding, another proposed solution, failed to gain traction due to its dependency on widespread ecosystem support and its inability to be incrementally deployed, highlighting that practical adoption of security protocols often hinges more on deployability than cryptographic robustness. Consequently, mTLS is recommended for controlled backend environments, while DPoP is preferred for client-side applications where flexibility and ease of integration are necessary.