See Sender constraining personal access tokens (#425130) for more context. This MR makes use of the backend DPoP checks that are introduced in Parse and validate DPoP Tokens (!166206 - merged).
Feature.enable(:dpop_authentication, User.find(1))
UserPreferences::UpdateService.new(User.find(1), {dpop_enabled: true}).execute
glab
from this branch.glab
generate a DPoP header: bin/glab auth dpop-gen --pat "<glpat-PAT>" --private-key ~/.ssh/id_rsa
curl http://localhost:3000/api/v4/projects --header "Private-Token: <glpat-PAT>" --header "DPoP: <GLAB OUTPUT HERE>"
curl -X POST -H "Content-Type: application/json" -H "Private-Token: <glpat-PAT>" -H "DPoP: <GLAB OUTPUT HERE>" -d '{ "query": "query { currentUser { id } }" }' "http://localhost:3000/api/graphql"