# Attesto v0.13.0 - Table of Contents > Vendor-neutral OAuth2/OIDC engine for Elixir with DPoP, mTLS, and PKCE sender-constraint support. ## Pages - [Attesto](readme.md) - Changelog - [Changelog](changelog.md) - License - [LICENSE](license.md) ## Modules - [Attesto](Attesto.md): A vendor-neutral OAuth 2.0 / OIDC authorization-server and resource-server engine. - [Attesto.AuthorizationRequest](Attesto.AuthorizationRequest.md): Authorization endpoint request validation (RFC 6749 §4.1.1, OIDC Core §3.1.2.1, RFC 7636 §4.3). - [Attesto.ClientAssertion](Attesto.ClientAssertion.md): `private_key_jwt` client authentication verification (RFC 7523 / OIDC Core). - [Attesto.ClientIdMetadata](Attesto.ClientIdMetadata.md): Client ID Metadata Documents - CIMD (`draft-ietf-oauth-client-id-metadata-document-01`, IETF OAuth WG). - [Attesto.DeviceCode](Attesto.DeviceCode.md): RFC 8628 Device Authorization Grant — the conn-free core. - [Attesto.DeviceCode.Grant](Attesto.DeviceCode.Grant.md): The validated context a successfully redeemed device code yields (RFC 8628 §3.4). - [Attesto.DeviceCodeStore](Attesto.DeviceCodeStore.md): Storage seam for the RFC 8628 device authorization grant. - [Attesto.DeviceCodeStore.ETS](Attesto.DeviceCodeStore.ETS.md): Single-node ETS implementation of `Attesto.DeviceCodeStore`. - [Attesto.EndSession](Attesto.EndSession.md): Validate an OpenID Connect RP-Initiated Logout request (OpenID Connect RP-Initiated Logout 1.0 §2-3). - [Attesto.Introspection](Attesto.Introspection.md): OAuth 2.0 Token Introspection (RFC 7662), conn-free core. - [Attesto.JARM](Attesto.JARM.md): JWT Secured Authorization Response Mode (JARM). - [Attesto.LogoutSessionStore](Attesto.LogoutSessionStore.md): Storage seam for OpenID Connect Back-Channel Logout 1.0. - [Attesto.LogoutToken](Attesto.LogoutToken.md): Mint OpenID Connect Back-Channel Logout `logout_token`s (OpenID Connect Back-Channel Logout 1.0 §2.4). - [Attesto.OpenIDDiscovery](Attesto.OpenIDDiscovery.md): OpenID Connect Discovery 1.0 - OpenID Provider Metadata (§3). - [Attesto.ProtectedResourceMetadata](Attesto.ProtectedResourceMetadata.md): RFC 9728 - OAuth 2.0 Protected Resource Metadata. - [Attesto.RequestObject](Attesto.RequestObject.md): Signed OpenID Connect Request Object verification (JAR, RFC 9101 / OIDC §6.1). - [Attesto.RequestObject.Policy](Attesto.RequestObject.Policy.md): Verification policy for signed authorization request objects (JAR, RFC 9101). - [Attesto.ResourceIndicator](Attesto.ResourceIndicator.md): RFC 8707 Resource Indicators for OAuth 2.0 — the conn-free primitive. - [Attesto.SignedIntrospection](Attesto.SignedIntrospection.md): JWT response for OAuth 2.0 Token Introspection (RFC 9701). - [Attesto.SigningAlg](Attesto.SigningAlg.md): Key-derived JOSE signing algorithm helpers. - [Attesto.StepUp](Attesto.StepUp.md): RFC 9470 Step-Up Authentication Challenge — the conn-free core primitive. - [Attesto.StepUp.Requirement](Attesto.StepUp.Requirement.md): A normalized RFC 9470 step-up authentication requirement for a protected route. - Core - [Attesto.Config](Attesto.Config.md): Immutable configuration a token operation runs against. - [Attesto.IDToken](Attesto.IDToken.md): Mint and verify OpenID Connect ID Tokens (OpenID Connect Core 1.0 §2). - [Attesto.PrincipalKind](Attesto.PrincipalKind.md): One kind of subject a token can describe. - [Attesto.Token](Attesto.Token.md): Mint and verify RS256 JWT access tokens. - Grants - [Attesto.AuthorizationCode](Attesto.AuthorizationCode.md): RFC 6749 §4.1 authorization-code grant, with mandatory PKCE (RFC 7636, S256) and optional DPoP binding of the code (RFC 9449 §10). - [Attesto.AuthorizationCode.Grant](Attesto.AuthorizationCode.Grant.md): The validated context a successfully redeemed authorization code yields. - [Attesto.IdentityAssertion](Attesto.IdentityAssertion.md): Identity Assertion JWT Authorization Grant (ID-JAG) verification - the resource Authorization Server's half of the Identity Assertion Authorization Grant (`draft-ietf-oauth-identity-assertion-authz-grant-04`), the grant behind MCP Enterprise-Managed Authorization (EMA). - [Attesto.PKCE](Attesto.PKCE.md): RFC 7636 - Proof Key for Code Exchange (PKCE). - [Attesto.RefreshToken](Attesto.RefreshToken.md): Refresh-token issuance and rotation with reuse detection (RFC 6749 §6 / §10.4, OAuth 2.0 Security BCP). - [Attesto.Revocation](Attesto.Revocation.md): RFC 7009 - OAuth 2.0 Token Revocation, for refresh tokens. - Plugs - [Attesto.Plug.Authenticate](Attesto.Plug.Authenticate.md): Authenticate a protected-resource request: verify the access token and, for a DPoP-bound or mTLS-bound token, the sender-constraint proof. - [Attesto.Plug.OAuthError](Attesto.Plug.OAuthError.md): Render the RFC 6750 / RFC 9449 error responses for the Attesto plugs. - [Attesto.Plug.RequireScopes](Attesto.Plug.RequireScopes.md): Authorize a request against the scopes on the verified token. - Stores - [Attesto.CodeStore](Attesto.CodeStore.md): Storage seam for authorization codes. - [Attesto.CodeStore.ETS](Attesto.CodeStore.ETS.md): Single-node ETS implementation of `Attesto.CodeStore`. - [Attesto.DPoP.NonceStore](Attesto.DPoP.NonceStore.md): Storage seam for server-issued DPoP nonces (RFC 9449 §8). - [Attesto.DPoP.NonceStore.ETS](Attesto.DPoP.NonceStore.ETS.md): Single-node ETS implementation of `Attesto.DPoP.NonceStore`. - [Attesto.RefreshStore](Attesto.RefreshStore.md): Storage seam for refresh tokens, with the atomic primitive that makes reuse detection possible. - [Attesto.RefreshStore.ETS](Attesto.RefreshStore.ETS.md): Single-node ETS implementation of `Attesto.RefreshStore`. - Sender-constraint - [Attesto.DPoP](Attesto.DPoP.md): RFC 9449 - OAuth 2.0 Demonstrating Proof of Possession (DPoP). - [Attesto.DPoP.ReplayCache](Attesto.DPoP.ReplayCache.md): In-memory, TTL-bounded cache of seen DPoP proof `jti` values. - [Attesto.MTLS](Attesto.MTLS.md): RFC 8705 - OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens. - Scopes - [Attesto.Scope](Attesto.Scope.md): Scope grant-form matching for OAuth-style `.` scopes. - Metadata - [Attesto.Discovery](Attesto.Discovery.md): RFC 8414 - OAuth 2.0 Authorization Server Metadata. - [Attesto.JWKS](Attesto.JWKS.md): RFC 7517 - publish the signing keys' public halves as a JWK Set. - Keys - [Attesto.Key](Attesto.Key.md): Pure helpers for working with signing material as PEM strings. - [Attesto.Keystore](Attesto.Keystore.md): The behaviour Attesto uses to obtain signing and verification keys. - [Attesto.Keystore.Static](Attesto.Keystore.Static.md): A simple `Attesto.Keystore` backed by application configuration. - Shared - [Attesto.ClusterGuard](Attesto.ClusterGuard.md): Refuse to start a per-node ETS store on a clustered BEAM. - [Attesto.Secret](Attesto.Secret.md): Generate and hash the opaque secrets that back stateful grants. - [Attesto.SecureCompare](Attesto.SecureCompare.md): Constant-time comparison of two binaries. - [Attesto.Thumbprint](Attesto.Thumbprint.md): Canonical SHA-256 thumbprint shape, shared across the sender-constraint schemes. - Testing - [Attesto.Test.DPoP](Attesto.Test.DPoP.md): DPoP test fixtures for host application suites. - [Attesto.Test.DPoPVerifier](Attesto.Test.DPoPVerifier.md): Server-side DPoP verification harness for host application test suites.