00uqr4we1XBzOyLbS351.5609495785434294E12 (Customer) asked a question.
I am looking to implement DPoP by following the guide at:
https://developer.okta.com/docs/guides/dpop/nonoktaresourceserver/main
I'm implementing the "client-side" of the flow. I have many clients making requests against the resource server, so each of them need to acquire access tokens.
Step 1 says: "The client generates a public/private key pair for use with DPoP."
My question is: is it the best practice to generate a separate public/private key pair for each individual request? Or is it permitted to generate a public/private key pair once, and then use that same key pair for each request? I would perhaps rotate it every so often, but not on each request.
Thanks for your help.
Ryan
Hi @00uqr4we1XBzOyLbS351.5609495785434294E12 (Customer) , Thank you for reaching out to the Okta Community!
This question is more appropriate for our dedicated Okta Developer Forum.
My advice would be to reach out via devforum.okta.com to take advantage of their expertise.
While we'll do our best to answer all of your questions here, this medium is more inclined towards Okta core products and features (non-custom/developer work).
That being said, I ran this by some of my colleagues and was informed that "DPoP public key sent during token request will be bound to the access token. So you cannot use a different key to sign dpop proof while using that access token."
I recommend checking with my colleagues on the devforum side for clarification if needed.
Regards.
--
The new Okta Help Center YouTube channel is your go-to resource for tips, troubleshooting, and best practice videos. Subscribe today.
Join the Online Discussion for Ask me Anything on March 25, 2025: Identity Threat Protection with Okta AI