Sign In with World ID

Sign in with World ID

Typical OIDC-compatible authentication engines include Auth0, AWS Cognito, CloudFlare Access, OneLogin and many more. Most languages and frameworks have simple open source packages for this.

Auth0 IntegrationNextAuth TemplateCustom Authentication Engines

Follow the Auth0 Integration installation instructions to add Sign in with World ID to your Auth0 Tenant using the Client ID and Client Secret found in the Developer Portal.

If your app hasn't yet integrated Auth0, you can use any of their various SDK libraries to get started. This allows using Sign in with World ID on a very broad range of platforms, including web, mobile, and desktop apps.

Mapping User Info

The https://id.worldcoin.org/beta claim has been deprecated and replaced by https://id.worldcoin.org/v1.

The /userinfo endpoint or id_token JWT returns a JSON object with the following fields:

Response

{
	"sub": "0x2ae86d6d747702b3b2c81811cd2b39875e8fa6b780ee4a207bdc203a7860b535",
	"https://id.worldcoin.org/beta": { // deprecated, will be removed in the future
		"likely_human": "strong",
		"credential_type": "orb"
	},
    "https://id.worldcoin.org/v1": {
        "verification_level": "orb", // "orb" or "device"
    },
	"email": "0x2ae86d6d747702b3b2c81811cd2b39875e8fa6b780ee4a207bdc203a7860b535@id.worldcoin.org", // if `email` scope is included
	"name": "World ID User", // if `profile` scope is included
	"given_name": "World ID", // if `profile` scope is included
	"family_name": "User" // if `profile` scope is included
}

The email field is set only for compatibility with apps that cannot function without it. Users cannot receive emails at this address, and it should be ignored when possible.

The sub field is the user's nullifier hash -- their unique identifier in the context of your app. A user's nullifier hash will be different for each app they use.

You can information about a user's World ID Credentials in the https://id.worldcoin.org/v1 object. Use the verification_level field to determine whether the user has been Orb-verified or not.