Configure Sender Constraining
Sender constraining is an OAuth 2.0 and OpenID Connect (OIDC) security mechanism that cryptographically binds access and refresh tokens to the specific client application that obtained them, preventing token theft and misuse.
Auth0 supports mTLS sender constraining and Demonstrating Proof-of-Possession (DPoP). If you enable sender constraining for a client application, then you must also enforce it for the resource server you’re making API calls to.
To configure sender constraining in Auth0, you must:
How it works
Access tokens are sender constrained in Auth0 depending on how you configure sender constraining for your client application and resource server:
Requested audience: In a token request, whether the requested audience is
/userinfo
only, or only intended to be used with the/userinfo
endpoint, or is a custom API that may include/userinfo
when you also request the openid scope, affects whether access tokens are sender constrained.Client application: Whether you set sender constraining as
required
by the client application.Resource server: Whether you configure sender constraining for the resource server:
none
: You have not configured sender constraining for the resource server.allowed
: You have configured sender constraining for the resource server by setting a sender constraining method.required
: You have configured sender constraining as required for the resource server, meaning that access tokens must be sender-constrained to an application. Requires a sender constraining method.
Proof-of-Possession: Whether the client application sent a proof-of-possession assertion in the token request:
mTLS sender constraining: The proof of possession is demonstrated through the client's successful presentation of a specific private key (associated with a client certificate) during the TLS handshake.
DPoP: The proof of possession is achieved by the client creating a DPoP Proof JWT by cryptographically signing it with its private key and including the
DPoP
Proof JWT in the DPoP HTTP header of every request where the associated access token is used.
The following table describes how access tokens are issued and whether they are sender-constrained based on various client request parameters and Auth0 resource server configurations:
Requested Audience Type | Client Requires PoP? | Proof-of-Possession (PoP) Sent by Client? | Auth0 Resource Server Policy: None | Auth0 Resource Server Policy: Allowed (Not Required) | Auth0 Resource Server Policy: Required |
---|---|---|---|---|---|
Userinfo Only | No | No | Issued, Not Sender-Constrained | N/A | N/A |
Userinfo Only | No | Yes | Issued, Sender-Constrained | N/A | N/A |
Userinfo Only | Yes | No | Not Issued | N/A | N/A |
Userinfo Only | Yes | Yes | Issued, Sender-Constrained | N/A | N/A |
Custom Audience (may contain Userinfo) | No | No | Issued, Not Sender-Constrained | Issued, Not Sender-Constrained | Not Issued |
Custom Audience (may contain Userinfo) | No | Yes | Issued, Not Sender-Constrained | Issued, Sender-Constrained | Issued, Sender-Constrained |
Custom Audience (may contain Userinfo) | Yes | No | Not Issued | Not Issued | Not Issued |
Custom Audience (may contain Userinfo) | Yes | Yes | Not Issued | Issued, Sender-Constrained | Issued, Sender-Constrained |
Configure sender constraining for a client application
When you require sender constraining for a client application, access tokens are constrained to that application. Auth0 verifies requests to ensure that only the application that requested the token can use it to access the associated resource.
Once you configure a client application to require sender constraining, you can set the sender constraining method, either mTLS or DPoP, when configuring your resource server.
You can configure sender constraining for a client application with the Auth0 Dashboard or Management API.
Go to Dashboard > Applications > Applications. Select the application you want to configure.
Under Settings, scroll to Token Sender-Constraining.
Toggle on to Require Sender Constraining. Toggle off to remove the requirement for Sender Constraining for the application.

To configure a client for Sender Constraining, use the Management API.
To require Sender Constraining for a client, send a PATCH request to update the client's settings. Set the require_proof_of_possession
parameter to true
.
"require_proof_of_possession": true
Was this helpful?
To remove the requirement for Sender Constraining, set the require_proof_of_possession
parameter to false
.
"require_proof_of_possession": false
Was this helpful?
Configure sender constraining for a resource server
Access tokens issued by Auth0 can be constrained to the sender (i.e. the client application) that needs to access APIs at a resource server.
You can configure sender constraining for a resource server with the Auth0 Dashboard or Management API.
To enable Token Binding or sender constraining, configure the API Settings of your API.
Navigate to Auth0 Dashboard > Applications > APIs.
Select the API you want to configure.
Under the Settings tab, find the Token Sender-Constraining section.
Configure the following:
Sender Constraining Method:
None: Don’t enable a sender constraining method for your resource server.
mTLS: Enable mTLS as the sender constraining method for your resource server.
DPoP: Enable DPoP as the sender constraining method for your resource server.
B. Toggle on Require Token Sender Constraining. All access tokens issued to an application for this API will be constrained to that application.

To enable Sender Constraining with the Management API, send a PATCH request to update the resource server. Set the parameters of the proof_of_possession
object to the following:
Parameter | Description |
---|---|
mechanism |
Sets the sender-constraining method: none , mtls , or dpop . |
required |
When set to true , all access tokens issued to an application for this API will be constrained to that application. When set to false , sender constraining is not required for the application. |
The following code sample is an example request body that configures a resource server for mTLS Sender Constraining:
"proof_of_possession": {
"mechanism": "mtls",
"required": true
}
Was this helpful?