I am looking to implement DPoP by following the guide at:
I’m implementing the “client-side” of the flow. I have many clients making requests against the resource server, so each of them need to acquire access tokens.
Step 1 says: “The client generates a public/private key pair for use with DPoP.”
My question is: is it the best practice to generate a separate public/private key pair for each individual request? Or is it permitted to generate a public/private key pair once, and then use that same key pair for each request? I would perhaps rotate it every so often, but not on each request.
Thank you for reaching out to the Okta Developer Forum. My name is Akash, from Okta and I will be assisting you with your queries.
With regards to your query, please note that the public-private key pair is typically generated once and used throughout the entire lifecycle of the app, provided it is securely stored in the backend and not exposed.
However, depending on specific security requirements, it is advisable to rotate the key pair periodically.
Please feel free to reach out if you have any other questions or concerns.