invalid_dpop_proof: 'htu' claim in th e DPoP proof JWT is invalid.

[kjkuan]

Describe the bug

I got an error about invalid DPoP in an API response:

      'www-authenticate': [
        `DPoP algs="RS256 RS384 RS512 ES256 ES384 ES512", authorization_uri="http://integrator-8941517.okta.com/oauth2/v1/authorize",
realm="http://integrator-8941517.okta.com", scope="okta.groups.read", error="invalid_dpop_proof", error_description="'htu' claim in th
e DPoP proof JWT is invalid.", resource="/api/v1/groups/00gwsh7e1dYS1VtcJ697/users"`
      ],

Reproduction Steps?

With code like this:

import fs from 'node:fs';
import okta from '@okta/okta-sdk-nodejs';

const clientId = process.env.OAUTH_CLIENT_ID;
const jwk = fs.readFileSync('jwk.json', 'utf-8');

const client = new okta.Client({
  orgUrl: 'https://integrator-8941517.okta.com/',
  authorizationMode: 'PrivateKey',
  clientId: clientId,
  scopes: ['okta.groups.read'],
  privateKey: jwk
});

const users = await client.groupApi.listGroupUsers({groupId: "00gwsh7e1dYS1VtcJ697"});
users.each(u => {
  console.log(u);
})

I got an error as described above.

The code works if I turn off DPoP for the app.

SDK Versions

 System:
    OS: Linux 6.8 Ubuntu 24.04.3 LTS 24.04.3 LTS (Noble Numbat)
    CPU: (4) arm64 unknown
    Memory: 14.48 GB / 15.59 GB
    Container: Yes
    Shell: 5.2.21 - /bin/bash
  Binaries:
    Node: 22.16.0 - /home/jkuan/.local/state/fnm_multishells/461037_1761336136819/bin/node
    npm: 10.9.2 - /home/jkuan/.local/state/fnm_multishells/461037_1761336136819/bin/npm
  npmPackages:
    @okta/okta-sdk-nodejs: ^7.3.0 => 7.3.0

Additional Information

No response

[tanish-okta]

@kjkuan I have tried reproducing the issue with code snippet provided by you but that works fine, even with paginated records.
Could you please confirm if the issue is occurring for other APIs as well or only for a finite number of use cases.