descope · davidbemer · May 20, 2026 · May 20, 2026 · May 20, 2026 · davidbemer
diff --git a/README.md b/README.md
@@ -490,6 +490,30 @@ for more information.
 
 Alternatively, you can validate the session using Spring Framework middleware. See example using [java-spring](https://github.com/descope/java-spring).
 
+#### DPoP Sender-Constrained Tokens
+
+[DPoP (Demonstrated Proof of Possession, RFC 9449)](https://datatracker.ietf.org/doc/html/rfc9449) allows access tokens to be sender-constrained. When a Descope session token contains a `cnf.jkt` claim, the client must prove possession of the corresponding private key on every request by supplying a `DPoP` HTTP header.
+
+After validating the session token, call `validateDPoP` to verify the DPoP proof:
+
+```java
+AuthenticationService as = descopeClient.getAuthenticationServices().getAuthenticationService();
+
+try {
+    // 1. Validate the session token as usual
+    Token token = as.validateSessionWithToken(sessionToken);
+
+    // 2. Validate the DPoP proof (no-op if token is not DPoP-bound)
+    //    dpopProof  - value of the DPoP HTTP request header
+    //    method     - HTTP method of the current request (e.g. "GET")
+    //    requestUrl - full URL of the current request
+    as.validateDPoP(sessionToken, dpopProof, method, requestUrl);
+} catch (DescopeException de) {
+    // Handle the unauthorized error
+}
+```
+
+If the session token does not contain a `cnf.jkt` claim, `validateDPoP` does nothing, so it is safe to call unconditionally for all requests.
 
 ### Tenant selection
 

diff --git a/src/main/java/com/descope/sdk/auth/AuthenticationService.java b/src/main/java/com/descope/sdk/auth/AuthenticationService.java
@@ -275,4 +275,19 @@ boolean validatePermissions(Token token, String tenant, List<String> permissions
    * @throws DescopeException if there is an error or token is not valid
    */
   List<UserHistoryResponse> history(String refreshToken) throws DescopeException;
+
+  /**
+   * Validates a DPoP (Demonstrated Proof of Possession, RFC 9449) proof for a DPoP-bound session token.
+   * If the session token does not contain a {@code cnf.jkt} claim, this method does nothing.
+   * Must be called after validating the session token whenever the protected resource
+   * requires sender-constrained tokens.
+   *
+   * @param sessionToken the raw session JWT string
+   * @param dpopProof    the DPoP proof JWT from the {@code DPoP} HTTP request header
+   * @param method       the HTTP method of the request (e.g. "GET", "POST")
+   * @param requestUrl   the full URL of the HTTP request
+   * @throws DescopeException if the DPoP proof is invalid or missing when required
+   */
+  void validateDPoP(String sessionToken, String dpopProof, String method, String requestUrl)
+      throws DescopeException;
 }
diff --git a/src/main/java/com/descope/sdk/auth/impl/AuthenticationServiceImpl.java b/src/main/java/com/descope/sdk/auth/impl/AuthenticationServiceImpl.java
@@ -21,6 +21,7 @@
 import com.descope.model.user.response.UserHistoryResponse;
 import com.descope.model.user.response.UserResponse;
 import com.descope.proxy.ApiProxy;
+import com.descope.utils.DPoPUtils;
 import com.fasterxml.jackson.core.type.TypeReference;
 import java.net.URI;
 import java.util.ArrayList;
@@ -264,6 +265,15 @@ public AuthenticationInfo selectTenant(String tenantId, String refreshToken) thr
     return getAuthenticationInfo(jwtResponse);
   }
 
+  @Override
+  public void validateDPoP(String sessionToken, String dpopProof, String method, String requestUrl)
+      throws DescopeException {
+    if (StringUtils.isBlank(sessionToken)) {
+      throw ServerCommonException.invalidArgument("sessionToken");
+    }
+    DPoPUtils.validateDPoPProof(dpopProof, method, requestUrl, sessionToken);
+  }
+
   AuthenticationInfo exchangeToken(String code, URI url) {
     if (StringUtils.isBlank(code)) {
       throw ServerCommonException.invalidArgument("Code");