Skip to content

useJWT DPoP support #4335

New issue
New issue
Open
Open
useJWT DPoP support#4335
@swantzter

Description

@swantzter
swantzter
opened on Jan 31, 2026

Is your feature request related to a problem? Please describe.

Our Authentication providers, and more of them as time progresses, support DPoP for hardened security. It would be nice if useJWT supported this check

Describe the solution you'd like

  • A way to feed in an extractor for the DPoP header value (possibly just allowing ExtractTokenFunction to return { token: string, dpop?: string, prefix?: string }
  • The default extractor to check for DPoP authorization schemes in addition to Bearer, and if so also extract the DPoP header value
  • Verify the token and DPoP tokens

Describe alternatives you've considered

Writing a custom plugin

Additional context

Auth0 has a good example: https://auth0.com/docs/secure/sender-constraining/demonstrating-proof-of-possession-dpop

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions