A proof of possession, or PoP, token is an access token that requires the holder to demonstrate possession of associated cryptographic material before it can be used. It matters because bearer tokens can often be abused by anyone who steals them intact.
What is a Proof of Possession (PoP) Token?
Unlike a simple bearer token, a PoP token is tied to a key or proof mechanism that the client must present or use when making a request. This helps verify that the request is coming from the legitimate holder rather than from someone who merely copied the token.
What PoP Tokens Commonly Improve
Common benefits include reduced replay risk, stronger API protection, lower token portability, and improved trust in machine-to-machine or user sessions.
PoP Token vs. Bearer Token
A bearer token can often be used by whoever possesses it. A PoP token requires additional proof that the holder controls the associated key material.
Frequently Asked Questions
Why are PoP tokens useful?
Because they make stolen tokens harder to reuse outside their intended client context.
Are PoP tokens always necessary?
Not always. They add complexity, so they are most valuable where replay risk and token sensitivity are high.
Related Cybersecurity Terms
