Skip to main content

OAuth 2.0 Proof-of-Possession (PoP) Security Architecture

Document Type Expired Internet-Draft (oauth WG)
Expired & archived
Authors Phil Hunt , Justin Richer , William Mills , Prateek Mishra , Hannes Tschofenig
Last updated 2017-01-09 (Latest revision 2016-07-08)
Replaces draft-hunt-oauth-pop-architecture
RFC stream Internet Engineering Task Force (IETF)
Intended RFC status Informational
Additional resources Mailing list discussion
Stream WG state Submitted to IESG for Publication
Document shepherd Kepeng Li
Shepherd write-up Show Last changed 2015-10-20
IESG IESG state Expired (IESG: Dead)
Action Holders
Consensus boilerplate Yes
Telechat date (None)
Responsible AD Kathleen Moriarty
Send notices to
IANA IANA review state Version Changed - Review Needed

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


The OAuth 2.0 bearer token specification, as defined in RFC 6750, allows any party in possession of a bearer token (a "bearer") to get access to the associated resources (without demonstrating possession of a cryptographic key). To prevent misuse, bearer tokens must be protected from disclosure in transit and at rest. Some scenarios demand additional security protection whereby a client needs to demonstrate possession of cryptographic keying material when accessing a protected resource. This document motivates the development of the OAuth 2.0 proof-of-possession security mechanism.


Phil Hunt
Justin Richer
William Mills
Prateek Mishra
Hannes Tschofenig

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)