Security
Sender-constrained tokens: DPoP and mTLS
Crux Why bearer tokens fail under XSS or supply-chain attack, how DPoP binds a token to a client-held key, and when to use mTLS-bound tokens instead — with FAPI 2.0 requirements.
Your altitude — climbing toward senior
ZeroJuniorMiddleSenior
You are at senior altitude — in orbitA supply-chain attack injects one line of JavaScript into your SPA. It reads the access token from memory and exfiltrates it to an attacker’s server. The token is a bearer token — whoever holds it wins. The attacker now has minutes or hours to call your API as the victim. DPoP makes the stolen token worthless: without the corresponding private key that never left the client, the attacker cannot generate a valid proof.
The bearer token problem
A bearer access token is exactly what the name says: anyone who holds it can use it. The resource server does not check who is presenting the token — only that the token is valid. This is the design.
The consequence: theft equals full compromise for the token’s remaining TTL. Short TTLs (5–15 min) limit the window, but they do not eliminate it. For banking, healthcare, and other high-value workloads, “a stolen token works for 15 minutes” is not an acceptable risk.
DPoP — Demonstrating Proof of Possession (RFC 9449)
DPoP binds the access token to a key pair controlled by the client. The client generates a non-extractable key pair (WebCrypto in browsers, OS keychain in native apps). The access token carries a cnf (confirmation) claim containing the JWK thumbprint (jkt) of the public key.
On every API call, the client computes a DPoP proof JWT in the DPoP HTTP header. The proof payload contains:
jti— unique ID (server caches to detect replays, typical window 5–10 min)htm— HTTP method (e.g.POST)htu— HTTP target URI (e.g.https://api.bank.example/v1/transfer)iat— issued-at timestamp (server rejects if outside ~60s window)ath— SHA-256 of the access token (binds this proof to this specific token)
The proof’s header includes the public key (jwk). The resource server validates:
- Signature valid (using the embedded
jwk) ath= SHA-256 of the incoming bearer tokenhtmandhtumatch the actual requestiatwithin acceptable windowjtinot seen recently (anti-replay)jwkhashes to thejktin the token’scnfclaim
A stolen token without the private key cannot generate step 1 or 5. The API call is rejected.
DPoP proof structure per API call
DPoP header (JWT signed with client private key)
header: { alg: ES256, jwk: {public key} }
payload: { jti: uuid, htm: “POST”, htu: “https://api.bank…/transfer”, iat: 1716230400, ath: sha256(access_token) }
Access token cnf claim
cnf: { jkt: “base64url(SHA-256(public_key))” }
Resource server: verify proof signature, check ath, check htm+htu, check jki = jkt in token. Stolen token without private key fails step 1.
mTLS-bound tokens (RFC 8705)
mTLS (mutual TLS) binds the access token to the client’s X.509 certificate. The TLS handshake itself presents the certificate; the resource server verifies that the TLS-presented certificate matches the cnf.x5t#S256 claim in the token.
DPoP vs mTLS — the practical difference for browser SPAs:
- Browsers do not expose TLS client certificates to JavaScript. mTLS requires the certificate to be selected at the OS / browser level — not practical for SPAs where the key must live in JS.
- DPoP uses the WebCrypto API to hold a non-extractable key pair in the browser JS context. This works; the key never leaves the browser but is still controlled by the SPA code.
- FAPI 2.0 (Open Banking profile) requires sender-constrained tokens via either mTLS or DPoP. For new browser-based fintech in 2026, DPoP is the default choice. mTLS is the choice for backend service-to-service where client certificates are manageable.
PAR and JAR: hardening the authorize request
Pushed Authorization Requests (PAR, RFC 9126): Instead of putting all parameters in the browser redirect URL, the client POSTs them to a /par endpoint over a TLS-authenticated back channel first. The server returns a short-lived request_uri. The client redirects the browser to /authorize?request_uri=... — no parameters visible in the URL.
Benefits: parameters are not in browser history, referrer headers, or screenshots. The authorization server validates the request before the browser is involved.
JAR (JWT Authorization Requests, RFC 9101): The client packages the authorize parameters as a signed JWT. The auth server validates the signature before processing. Combined with PAR, the entire request is off-URL and integrity-protected.
Both PAR + JAR are required by FAPI 2.0. Consumer OAuth typically skips them; banking and healthcare implementations require them.
Quiz
Completed
Why is DPoP preferred over mTLS for browser SPAs even though both are FAPI 2.0 compliant?
Heads-up The throughput is comparable; the choice is about where the key lives.
Heads-up mTLS-bound tokens (RFC 8705) remain current and are required by FAPI 2.0 alongside DPoP.
Heads-up Neither GDPR nor FAPI specifies DPoP over mTLS; deployability drives the choice.
Quiz
Completed
A DPoP proof is valid but the jti was seen by the server 2 minutes ago. What should the server do?
Heads-up The replay cache window is typically 5–10 minutes; a jti seen within that window is a replay attempt regardless of timestamp.
Heads-up Replayed DPoP proofs must be rejected regardless of token status.
Heads-up Logging and proceeding allows replay attacks — the spec requires rejection.
Order the steps
Completed
Order the DPoP validation steps the resource server performs:
- 1 Parse the DPoP JWT header and extract the embedded public key (jwk)
- 2 Verify the DPoP proof signature using the embedded public key
- 3 Verify ath claim equals SHA-256 of the incoming access token
- 4 Verify htm and htu match the actual HTTP method and URI of this request
- 5 Verify iat is within the acceptable time window (~60 seconds)
- 6 Check jti has not been seen in the replay cache (5–10 minute window)
- 7 Extract cnf.jkt from the access token and verify the proof's jwk hashes to that value
- 01What makes a DPoP proof bind a stolen access token to uselessness?
- 02What does PAR (Pushed Authorization Requests) add to the OAuth flow?
- 03When would you choose mTLS over DPoP for sender-constraining tokens?
Recap
Bearer tokens are the legacy default: anyone who holds the token can use it. DPoP (RFC 9449) binds the token to a client-held private key — every API call requires a fresh proof JWT signed by that key, containing the hash of the access token, the request method, and the target URI. Stolen tokens without the key are rejected. mTLS-bound tokens (RFC 8705) achieve the same binding via X.509 client certificates. FAPI 2.0 requires one or the other for banking, healthcare, and regulated AI workloads. DPoP is the browser choice because WebCrypto provides non-extractable keys in JavaScript; mTLS is the backend-service choice. PAR and JAR harden the /authorize request itself by moving parameters off the URL.
Connected lessons
appears again in202
- Why GraphQL gets N+1junior
- DataLoader mechanics: tick-boundary batchingmiddle
- Batch function contracts: ordering, shapes, errorsmiddle
- Federation and lookahead: batching beyond DataLoadermiddle
- Query complexity defences: depth, cost, persisted queriesmiddle
- Senior GraphQL API: scheduling contract, tenant isolation, observabilitysenior
- Why idempotency: making retries safejunior
- Server-side state machine: four states of an idempotency keymiddle
- Outbox and inbox: effectively-once across the dual-write boundarymiddle
- Concurrency and cache architecture for idempotency at scalesenior
- Observability, production failures, and global-scale designsenior
- The event loop: one thread, three queuesjunior
- Tasks, microtasks, and scheduler.yield()middle
- Microtask starvation, Long Tasks, and LoAFsenior
- Node.js event loop: phases, nextTick, and loop lagsenior
- React, Vue, and INP observability in productionsenior
- The render pipeline: six stages from bytes to pixelsjunior
- Stage costs and the renderer process modelmiddle
- Invalidation, dirty bits, and containmiddle
- Compositor layers: promotion, overlap, and GPU memorymiddle
- DevTools flame strip and the frame lifecyclemiddle
- Layout thrash: forced synchronous layoutsenior
- BeginMainFrame, compositor-driven animations, and GPU memorysenior
- Production observability: LoAF, INP, and the full attack surfacesenior
- What V8 is and why performance varies 100×junior
- V8''''s four-tier JIT pipeline and profile-guided tieringmiddle
- Hidden classes, transition trees, and memory layoutmiddle
- Inline caches, IC states, and deoptimizationmiddle
- Orinoco GC: parallel scavenger, concurrent marking, and write barriersmiddle
- TurboFan''''s speculative engine and the deopt-loop trapsenior
- V8 in production: isolates, pointer compression, and real failuressenior
- What workers are and why they existjunior
- Web worker mechanics: dedicated, shared, and OffscreenCanvasmiddle
- Structured clone and transferablesmiddle
- Service worker lifecycle and cache strategiesmiddle
- SharedArrayBuffer, Atomics, and cross-origin isolationsenior
- Service worker edge cases: version skew, durability, and navigation trapssenior
- Worker pools, Comlink, and production observabilitysenior
- What the reconciler does: render vs commitjunior
- The fiber object and the double-buffer treemiddle
- Render phase purity and commit phase sub-stepsmiddle
- Reconciliation: diffing heuristics and the key trapmiddle
- Priority lanes, time-slicing, and useTransitionmiddle
- Bailout, memoisation, and tearingsenior
- React Profiler, the Compiler, and production observabilitysenior
- Rendering strategies: SSG, SSR, ISR, streaming, and hydrationjunior
- SSG, SSR, ISR, streaming, and RSC — how each worksmiddle
- Hydration cost: selective, progressive, islands, resumabilitymiddle
- Hydration mismatch: causes, detection, and the determinism rulesenior
- RSC, per-route strategy, and production observabilitysenior
- Core Web Vitals: what LCP, INP, and CLS measurejunior
- CLS: why layout shifts happen and how to stop themmiddle
- Metric tradeoffs, RUM attribution, and the CI+field loopsenior
- The full picture: URL to LCP to INP as a relay racejunior
- Eight layers traced: from the service worker to the second navigationmiddle
- Five canonical breaks: where production reliably diessenior
- The three-track method: reading traces and building a monitored systemsenior
- What is a cache stampede and why it makes things worsejunior
- Lock and single-flight: bounding concurrent rebuildsmiddle
- XFetch: coordination-free probabilistic early expirationmiddle
- Stale-while-revalidate and CDN request coalescingmiddle
- Detecting stampedes and designing TTL for productionmiddle
- Metastable failure, fencing tokens, and production postmortemssenior
- What a relation is: tables, rows, keys, and constraintsjunior
- Constraints, keys, and Postgres data typesmiddle
- Normal forms, denormalization, and why schemas stickmiddle
- JSONB, arrays, and when a side table winsmiddle
- Heap storage, TOAST, and column alignmentsenior
- Schema integrity: deferral, versioning, and production failure modessenior
- Relational vs document, wide-column, graph, and key-valuesenior
- Index-only scans, the Visibility Map, and INCLUDEsenior
- Production failure modes and the index audit playbooksenior
- pg_statistic, ANALYZE, and production observabilitymiddle
- Production failure modes and plan stabilitysenior
- MVCC: why readers and writers never wait for each otherjunior
- Row versions and snapshots: the on-disk mechanicsmiddle
- HOT updates and isolation levels: what you gain and what you paymiddle
- Vacuum and bloat: keeping the storage tax boundedmiddle
- CLOG, XID wraparound, and MultiXact: deep visibility internalssenior
- SSI internals and production autovacuum tuningsenior
- Real-world MVCC failures, deployment patterns, and distributed snapshotssenior
- Connection pools: amortising the cost of a Postgres backendjunior
- PgBouncer session, transaction, and statement modesmiddle
- Pool sizing: the (cores × 2) + spindles formula and the two-layer stackmiddle
- Pool exhaustion and idle-in-transaction: the 3 AM failure modemiddle
- Migrating to transaction mode: rollout playbook and PgBouncer 1.21 prepared statementsmiddle
- The Postgres process model and why raising max_connections degrades throughputsenior
- Pooler landscape 2026, serverless connection storms, and the full failure-mode taxonomysenior
- What a schema migration is and why it replaces ad-hoc DDLjunior
- ADD COLUMN: instant in PG 11+ vs rewrite in older Postgresjunior
- The lock-queue failure mode: why instant DDL can freeze the databasemiddle
- Safe DDL patterns: NOT VALID, CONCURRENTLY, and unsafe-op fixesmiddle
- Expand-contract: zero-downtime for breaking schema changesmiddle
- Advisory locks, migration tools, and deploy coordinationsenior
- Migration failure taxonomy and production disciplinesenior
- Why sharding exists: the single-Postgres ceilingjunior
- Shard-key selection: hash, range, list, and directory strategiesmiddle
- Partitioning vs sharding: same word, two different thingsmiddle
- Co-location and Citus: the invariant that makes sharding usablemiddle
- The hot-shard failure mode: detection, isolation, and durable policymiddle
- Schema-based sharding and multi-tenancy alternativessenior
- Online resharding, 2PC, and the operational cost of shardingsenior
- The seven acts: from CREATE TABLE to Citusjunior
- Acts 1–3 in depth: schema, indexes, and planner statisticsmiddle
- Acts 4–6 in depth: MVCC bloat, connection pooling, and safe migrationsmiddle
- Act 7 in depth: sharding, co-location, and the seven-tier tradeoff cascademiddle
- Observability, anti-patterns, and production triagesenior
- Raft roles, terms, and why majority quorums prevent split brainjunior
- How Raft replicates a log entry and decides it is safe to commitmiddle
- Raft leader election: timeouts, voting rules, and the four safety propertiesmiddle
- Raft in the real world: partitions, slow disks, and client routingmiddle
- Raft extensions: pre-vote, learners, snapshots, and linearizable readssenior
- Raft in production: membership changes, Multi-Raft, and observabilitysenior
- Where data fetching happens — and why it decides LCPjunior
- Fetch waterfalls — diagnosis and the Promise.all curemiddle
- React Server Components and Suspense streamingmiddle
- Client-side cache: TanStack Query, SWR, and stale-while-revalidatemiddle
- LCP, prefetch, and race conditions in interactive fetchingmiddle
- Senior internals: RSC payload, caching layers, and production failure modessenior
- The IP envelopejunior
- Reading the IP headermiddle
- The three-way handshakejunior
- Sequence numbers and connection statemiddle
- DNS: what it does and why it existsjunior
- The resolver walk: referrals, record types, and gluemiddle
- TTL, caching, and DNS propagationmiddle
- What TLS does and why it existsjunior
- The 1-RTT handshake: key shares and ECDHEmiddle
- Session resumption and 0-RTTmiddle
- Key schedule, SNI, ALPN, and extensionssenior
- 0-RTT defenses, ECH, hybrid PQ, and production TLSsenior
- WebSocket: the HTTP upgrade handshakejunior
- WebSocket frame format: opcodes, masking, fragmentationmiddle
- WebSocket backpressure: when clients can''''t keep upmiddle
- Reconnection: jittered backoff, thundering herd, message resumptionsenior
- WebSocket at scale: HTTP/2 multiplexing, permessage-deflate, C10Msenior
- WebSocket in production: proxies, security, and distributed architecturesenior
- What reverse proxies dojunior
- Health checks, connection draining, and slow startmiddle
- Session affinity, consistent hashing, and the right fixmiddle
- Retry storms, circuit breakers, and load sheddingsenior
- Resilient LB architecture: anycast, zone-aware routing, and observabilitysenior
- Why QUIC and not TCP+TLSjunior
- Connection IDs and network migrationmiddle
- 0-RTT resumption and packet encryptionsenior
- DDoS: what it is and why it worksjunior
- Amplification attacks and state exhaustionmiddle
- Rate limiting: algorithms and architecturemiddle
- WAFs, firewalls, mTLS, and HSTSmiddle
- DNS cache poisoning and BGP hijackingsenior
- Defense-in-depth architecture and attack economicssenior
- The twelve layers: one URL, seven actorsjunior
- DNS, TCP, TLS in sequence: where the milliseconds gomiddle
- Proxy intercepts and security gates: rate limiters, WAF, mTLSmiddle
- Alternate paths: QUIC 0-RTT, WebSocket upgrade, connection migrationmiddle
- Observability: distributed traces, USE/RED, and samplingsenior
- Resilience: cascading retries, circuit breakers, and error budgetssenior
- What the three signals are: logs, metrics, and tracesjunior
- Why structured logs exist: the diary vs the spreadsheetjunior
- The production log schema: fields every line must carrymiddle
- PII redaction and log injectionsenior
- OTel Logs Data Model and audit logs as a subsystemsenior
- What is OpenTelemetry: API, SDK, Collector, OTLPjunior
- OTel signals, Semantic Conventions, and the OTLP wire formatmiddle
- The OTel Collector: receivers, processors, exporters, and deployment patternsmiddle
- Vendor neutrality, eBPF instrumentation, the Operator, and browser/serverless OTelsenior
- Operating the OTel Collector: reliability, version skew, failure modes, and governancesenior
- SLI, SLO, and the error budget: reliability by the numbersjunior
- Error budget policy, latency SLOs, and composite journeysmiddle
- Production SLO failures, self-observability, security, and the big picturesenior
- What is trace propagation and why broken propagation is worse than nonejunior
- traceparent and tracestate: the W3C header format in fullmiddle
- Baggage and async boundaries: carrying context across queues and callbacksmiddle
- Async context per language, service mesh, B3 migration, and securitysenior
- Production propagation failures, span links, and platform designsenior
- The debugging funnel: SLO → RED → trace → profilejunior
- OTel architecture: one SDK, four signals, one wire formatmiddle
- The incident loop: from pager to postmortem to preventionmiddle
- Scale, security, and the ROI of observable systemssenior
- Cache lines, struct layout, and false sharingmiddle
- SIMD, SoA vs AoS, and memory bandwidthmiddle
- Cache-oblivious algorithms, PGO, and production failuressenior
- GC in production: observability, security, edge cases, and fleet governancesenior
- Batching: amortize fixed cost per operationjunior
- The batching window: size and wait timemiddle
- Batching in Kafka and Postgresmiddle
- io_uring and observability of batchingmiddle
- From Nagle to io_uring: evolution of batchingmiddle
- Backpressure, failure isolation, and batch security in productionsenior
- CI enforcement and RUM: making budgets stickmiddle
- V8 JIT pipeline, HTTP priorities, and bundle securitysenior
- The performance loop: discipline, not a projectjunior
- Classify and fix: matching bottleneck families to remediesmiddle
- Observability stack and CI gates: catching regressions before they shipmiddle
- Incident to enforcement: SLO burn to verified fix in 35 minutesmiddle
- Culture, economics, and org-scale performancesenior
- At-most-once, at-least-once, exactly-once: the three delivery contractsjunior
- The three failure legs — where duplicates and losses actually happenmiddle
- Consumer-side dedup: the cheapest path to exactly-once processingmiddle
- Kafka exactly-once semantics: idempotent producer and transactionsmiddle
- SQS visibility timeout, DLQ, and the outbox patternmiddle
- Exactly-once in production: impossibility proof, hybrid patterns, and real incidentssenior