Sender-Constrained Tokens with mTLS
Learn how mutual-TLS client certificate binding turns bearer tokens into sender-constrained tokens, stopping stolen tokens from being replayed by attackers.
The Bearer Token Weakness
A plain bearer token works for anyone who holds it. If it leaks via logs, a proxy, or an XSS bug, the thief can use it freely. Sender-constrained tokens fix this by binding the token to the legitimate client.
What Is mTLS?
Mutual TLS means both sides present certificates: the server proves its identity (as usual) and the client also presents a certificate. The authorization server can then bind issued tokens to that client certificate.
All lessons in this course
- Consent & User Experience
- Cross-Origin Resource Sharing (CORS)
- Front-Channel vs. Back-Channel Logout
- Sender-Constrained Tokens with mTLS