...
In BoB, the use of a bobHok is recommended. BobHok is a claim put in the auth token (JWT) with containing the fingerprint of the client certificate used in the request to the Authentication API that created the auth token. It prevents the auth token from being tampered with in a man-in-the-middle attack.
...
Optionally a client certificate and private key can be configured. If these are not configured, STEVE will use its default builtin built-in client certificate and private key.
The new auth token will create a new bobHok claim matching the client certificate only if bobHok is present inte in the original auth token.