Proof-of-Possession Access Tokens

By default, OAuth access tokens are so called bearer tokens. This means they are not bound to a client and anybody who possess the token can use it (compare to cash).

Proof-of-Possession (short PoP) tokens are bound to the client that requested the token. If that token leaks, it cannot be used by anyone else (compare to a credit card - well at least in an ideal world).

See this blog post for more history and motivation.

IdentityServer supports PoP tokens by using the Mutual TLS mechanism.