auth0 · pmathew92 · Mar 24, 2026 · Mar 23, 2026 · Mar 24, 2026 · Copilot
@@ -55,6 +55,13 @@ public class AuthenticationAPIClient @VisibleForTesting(otherwise = VisibleForTe
 
     private var dPoP: DPoP? = null
 
+    /**
+     * Returns whether DPoP (Demonstrating Proof of Possession) is enabled on this client.
+     * DPoP is enabled by calling [useDPoP].
+     */
+    public val isDPoPEnabled: Boolean
+        get() = dPoP != null
+
     /**
      * Creates a new API client instance providing Auth0 account info.
      *

@@ -20,6 +20,10 @@ public abstract class BaseCredentialsManager internal constructor(
     protected val storage: Storage,
     private val jwtDecoder: JWTDecoder
 ) {
+
+    internal companion object {
+        internal const val KEY_DPOP_THUMBPRINT = "com.auth0.dpop_key_thumbprint"
+    }
-    internal companion object {
-        internal const val KEY_DPOP_THUMBPRINT = "com.auth0.dpop_key_thumbprint"
-    }
-    internal companion object {
-        internal const val KEY_DPOP_THUMBPRINT = "com.auth0.dpop_key_thumbprint"
-    }
     private var _clock: Clock = ClockImpl()
 
     /**

@@ -48,6 +48,8 @@ public class CredentialsManagerException :
         API_ERROR,
         SSO_EXCHANGE_FAILED,
         MFA_REQUIRED,
+        DPOP_KEY_MISSING,
+        DPOP_NOT_CONFIGURED,
         UNKNOWN_ERROR
     }
 
@@ -159,6 +161,11 @@ public class CredentialsManagerException :
         public val MFA_REQUIRED: CredentialsManagerException =
             CredentialsManagerException(Code.MFA_REQUIRED)
 
+        public val DPOP_KEY_MISSING: CredentialsManagerException =
+            CredentialsManagerException(Code.DPOP_KEY_MISSING)
+        public val DPOP_NOT_CONFIGURED: CredentialsManagerException =
+            CredentialsManagerException(Code.DPOP_NOT_CONFIGURED)
+
         public val UNKNOWN_ERROR: CredentialsManagerException = CredentialsManagerException(Code.UNKNOWN_ERROR)
 
 
@@ -207,6 +214,8 @@ public class CredentialsManagerException :
                 Code.API_ERROR -> "An error occurred while processing the request."
                 Code.SSO_EXCHANGE_FAILED ->"The exchange of the refresh token for SSO credentials failed."
                 Code.MFA_REQUIRED -> "Multi-factor authentication is required to complete the credential renewal."
+                Code.DPOP_KEY_MISSING -> "The stored credentials are DPoP-bound but the DPoP key pair is no longer available in the Android KeyStore. Re-authentication is required."
+                Code.DPOP_NOT_CONFIGURED -> "The stored credentials are DPoP-bound but the AuthenticationAPIClient used by this CredentialsManager was not configured with useDPoP(context). Call AuthenticationAPIClient(auth0).useDPoP(context) and pass the configured client to CredentialsManager."
                 Code.UNKNOWN_ERROR -> "An unknown error has occurred while fetching the token. Please check the error cause for more details."
             }
         }

@@ -198,6 +198,29 @@ public class DPoP(context: Context) {
             return HeaderData(token, proof)
         }
 
+        /**
+         * Returns whether a DPoP key pair currently exists in the Android KeyStore.
+         *
+         * This can be used to check if DPoP credentials are still available after events
+         * like device backup/restore or factory reset, which do not preserve KeyStore entries.
+         *
+         * ```kotlin
+         *
+         *  if (!DPoP.hasKeyPair()) {
+         *      // Key was lost — clear stored credentials and re-authenticate
+         *  }
+         *
+         * ```
+         *
+         * @return true if a DPoP key pair exists in the KeyStore, false otherwise.
+         * @throws DPoPException if there is an error accessing the KeyStore.
+         */
+        @Throws(DPoPException::class)
+        @JvmStatic
+        public fun hasKeyPair(): Boolean {
+            return DPoPUtil.hasKeyPair()
+        }
+
         /**
          * Method to clear the DPoP key pair from the keystore. It must be called when the user logs out
          * to prevent reuse of the key pair in subsequent sessions.