DPoP Validation Failures

Symptom

Requests fail with proof-of-possession validation errors. The gateway or token endpoint rejects DPoP proofs, returning errors such as invalid_dpop_proof, use_dpop_nonce, or HTTP 401 with a DPoP scheme challenge.

Likely Causes

The DPoP proof JWT is expired or has a future-dated iat claim
The htm (HTTP method) or htu (HTTP URI) fields in the proof do not match the actual request
The proof jti has already been seen (replay detection triggered)
The public key in the proof header does not match the key bound to the access token
Clock skew between the client and server exceeds the allowed tolerance
A required nonce value from the server was not included in the proof

How to Diagnose

Check 1

Decode the DPoP proof JWT and verify the htm, htu, iat, and jti claims match the outgoing request. Confirm the jwk header contains the correct public key.

Check 2

Compare the server clock with the client clock. If the iat claim falls outside the server's acceptable window, clock skew is the likely cause.

Check 3

Review gateway or authorization server logs for replay detection entries. Look for repeated jti values within the nonce window.

How to Resolve

Ensure each DPoP proof uses a unique jti value and a fresh iat timestamp
Match htm and htu exactly to the request method and URI (including scheme and port)
If the server returns a DPoP-Nonce header, include the provided nonce in the next proof
Synchronize client clocks using NTP to stay within the server's skew tolerance
Confirm the signing key pair is consistent between the DPoP proof and the token binding

Symptom​

Likely Causes​

How to Diagnose​

Check 1​

Check 2​

Check 3​

How to Resolve​

Related Docs​