- The document proposes strengthening credentials like cookies and OAuth tokens by binding them to a client's token binding ID, which is derived from the TLS session and proven by the client's signature. - It describes how a client can disclose its token binding ID to an HTTP server via a new HTTP header, and how the server can then bind tokens to that ID. It also discusses how a relying party can trigger a client to disclose its token binding ID to an identity provider to enable federated binding of tokens. - Key aspects are the client signing the TLS unique value to prove possession of the private key, using different keys per top-level domain, and supporting referral of the binding ID between domains to allow federated scenarios