Loading...
Loading...
Use when adding DPoP (Demonstrating Proof-of-Possession) token binding to protect API calls with device-bound, sender-constrained access tokens that cannot be replayed if stolen. Also use when a user says "bind tokens to the client", "prevent token theft", or "sender-constrained tokens".
npx skill4agent add auth0/agent-skills auth0-dpop@auth0/auth0-vue@auth0/auth0-react@auth0/auth0-angular@auth0/auth0-spa-js| Concept | Description |
|---|---|
| DPoP Proof | A short-lived signed JWT attached to each request proving key possession |
| DPoP Nonce | A server-issued value that must be included in the proof to prevent replay |
| SDK option that enables automatic DPoP proof generation |
| SDK helper that returns a |
| Error thrown when the server rotates its nonce mid-flight; retry with the new nonce |
audience# Inspect current resource server settings
auth0 api get "resource-servers" | jq '.[] | select(.identifier == "https://your-api-identifier")'
# Enable DPoP token dialect on the API
auth0 api patch "resource-servers/{API_ID}" \
--data '{"token_dialect": "access_token_authz"}'Replacewith the ID returned from the GET call above.{API_ID}
useDpop: trueaudiencecreateFetcher()UseDpopNonceError.env# Vite
VITE_AUTH0_DOMAIN=your-tenant.auth0.com
VITE_AUTH0_CLIENT_ID=your-client-id
VITE_AUTH0_AUDIENCE=https://your-api-identifierUseDpopNonceErrorauth0-vueauth0-reactauth0-angularauth0-spa-jsauth0-mfa