RFC 9449 · PROPOSED STANDARD · 2023
WED · 17 JUN 2026
OAuth 2.0 Demonstrating Proof of Possession
Overview
RFC 9449, “OAuth 2.0 Demonstrating Proof of Possession”, is a Proposed Standard document published in September 2023 by D. Fett, B. Campbell, J. Bradley, T. Lodderstedt, M. Jones, D. Waite. The canonical text is published by the RFC Editor.
Abstract
This document describes a mechanism for sender-constraining OAuth 2.0 tokens via a proof-of-possession mechanism on the application level. This mechanism allows for the detection of replay attacks with access and refresh tokens.
What “Proposed Standard” means
An entry-level standards-track specification: stable, peer-reviewed and a solid basis for implementation, though it may still evolve before becoming an Internet Standard.
Read this RFC
The canonical text of RFC 9449 is hosted at rfc-editor.org. Available in HTML,TXT,PDF,XML.
Other RFCs from 2023
- RFC 9448 TNAuthList Profile of Automated Certificate Management Environment Authority Token
- RFC 9450 Reliable and Available Wireless Use Cases
- RFC 9447 Automated Certificate Management Environment Challenges Using an Authority Token
- RFC 9451 Operations, Administration, and Maintenance Packet and Behavior in the Network Service Header
- RFC 9446 Reflections on Ten Years Past the Snowden Revelations
- RFC 9452 Network Service Header Encapsulation for In Situ OAM Data
- RFC 9445 RADIUS Extensions for DHCP-Configured Services
- RFC 9453 Applicability and Use Cases for IPv6 over Networks of Resource- constrained Nodes