Skip to main content

The OAuth 2.0 Authorization Framework: JWT Pop Token Usage

Document Type Expired Internet-Draft (individual)
Expired & archived
Authors Nat Sakimura , Kepeng Li , John Bradley
Last updated 2020-01-23 (Latest revision 2019-07-22)
Replaces draft-sakimura-oauth-rjwtprof
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


This specification describes how to use JWT POP (Jpop) tokens that were obtained through [POPKD] in HTTP requests to access OAuth 2.0 protected resources. Only the party in possession of the corresponding cryptographic key for the Jpop token can use it to get access to the associated resources unlike in the case of the bearer token described in [RFC6750] where any party in posession of the access token can access the resource.


Nat Sakimura
Kepeng Li
John Bradley

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)