Important: This documentation covers Yarn 1 (Classic).
For Yarn 2+ docs and migration guide, see yarnpkg.com.

Package detail

dpop

panva1.9mMIT2.1.1TypeScript support: included

DPoP (RFC9449) for JavaScript Runtimes

dpop, rfc9449

readme

dpop

OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer (DPoP) for JavaScript Runtimes

💗 Help the project

Dependencies: 0

API Reference

dpop is distributed via npmjs.com, jsdelivr.com, and github.com.

Example

ESM import[^cjs]

import * as DPoP from 'dpop'

DPoP Key Pair generation

const keypair = await DPoP.generateKeyPair('ES256', { extractable: false })

AS proof generation

let nonce!: string | undefined
const proof = await DPoP.generateProof(keypair, 'https://as.example.com/token', 'POST', nonce)

AS Authorization Code Binding via dpop_jkt

const dpop_jkt = await DPoP.calculateThumbprint(keyPair.publicKey)

AS proof generation

let nonce!: string | undefined
let accessToken!: string

const proof = await DPoP.generateProof(
  keypair,
  'https://rs.example.com/api',
  'GET',
  nonce,
  accessToken,
)

Supported Runtimes

The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are (but are not limited to):

  • Browsers
  • Bun
  • Cloudflare Workers
  • Deno
  • Electron
  • Node.js[^nodejs]
  • Vercel's Edge Runtime

Supported Versions

Version Security Fixes 🔑 Other Bug Fixes 🐞 New Features ⭐
v2.x Security Policy

[^cjs]: CJS style let dpop = require('dpop') is possible in Node.js versions where the require(esm) feature is enabled by default (^20.19.0 || ^22.12.0 || >= 23.0.0).

[^nodejs]: Node.js v20.x as baseline is required

changelog

Changelog

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

2.1.1 (2025-07-02)

2.1.0 (2025-06-19)

Features

  • support for calculating dpop_jkt (64ef4ce)

2.0.0 (2025-06-19)

⚠ BREAKING CHANGES

  • use named exports, update docs, update dev deps and workflows
  • remove the modulusLength generate key option
  • remove the EdDSA deprecated algorithm support

Features

  • add support for the fully-specified Ed25519 JWS Algorithm (ca266d9)

Refactor

  • remove the EdDSA deprecated algorithm support (cc050dc)
  • remove the modulusLength generate key option (6c6c6e4)
  • use named exports, update docs, update dev deps and workflows (3502f38)

1.4.1 (2024-05-27)

Fixes

1.4.0 (2023-09-08)

Features

1.3.0 (2023-09-08)

Features

1.2.0 (2023-04-26)

Features

  • release process with provenance (1053717)

1.1.0 (2022-09-28)

Features

  • add EdDSA (Ed25519) JWS support (dd52a63)

1.0.0 (2022-05-19)

0.7.0 (2022-05-18)

⚠ BREAKING CHANGES

  • updated API, updated draft to -08

Refactor

  • updated API, updated draft to -08 (10dd522)

0.6.0 (2021-04-08)

⚠ BREAKING CHANGES

  • function signature changed to function DPoP(keypair: CryptoKeyPair, alg: string, htu: string, htm: string, accessToken?: string, additional?: object) => Promise<string>; to accommodate for the optional resource access ath (hash of the access token) claim.

Features

0.5.5 (2020-04-02)

0.5.4 (2020-04-02)

0.5.3 (2020-03-31)

0.5.2 (2020-03-31)

0.5.1 (2020-03-31)

Bug Fixes

0.5.0 (2020-03-31)

Build System

  • move to ts, src, web distro bundles (85a744c)

BREAKING CHANGES

  • module entrypoints re-defined

0.4.0 (2020-03-10)

Features

  • DPoP for the browser - ESM module implementation (individual draft 04) (df163bd)