I am looking to implement DPoP by following the guide at:
I’m implementing the “client-side” of the flow. I have many clients making requests against the resource server, so each of them need to acquire access tokens.
Step 1 says: “The client generates a public/private key pair for use with DPoP.”
My question is: is it the best practice to generate a separate public/private key pair for each individual request? Or is it permitted to generate a public/private key pair once, and then use that same key pair for each request? I would perhaps rotate it every so often, but not on each request.
Thanks for your help.
Ryan