World ID

Sign in with World ID

When using Sign in with World ID, we highly recommend allowing users to set a separate recovery method for their account (e.g. email), in case users lose access to or reset their World ID. Read about World ID Reset here.

World ID can be used as an authentication mechanism. Some helpful resources for integrating World ID with your app:

Typical OIDC-compatible authentication engines include Auth0, AWS Cognito, CloudFlare Access, OneLogin and many more. Most languages and frameworks have simple open source packages for this.

Auth0 IntegrationNextAuth TemplateCustom Authentication Engines

Follow the Auth0 Integration installation instructions to add Sign in with World ID to your Auth0 Tenant using the Client ID and Client Secret found in the Developer Portal.

If your app hasn't yet integrated Auth0, you can use any of their various SDK libraries to get started. This allows using Sign in with World ID on a very broad range of platforms, including web, mobile, and desktop apps.

Mapping User Info

The /userinfo endpoint or id_token JWT returns a JSON object with the following fields:

Response

{
	"sub": "0x2ae86d6d747702b3b2c81811cd2b39875e8fa6b780ee4a207bdc203a7860b535",
	"https://id.worldcoin.org/beta": {
		"likely_human": "strong",
		"credential_type": "orb"
	},
  // if `email` scope is included:
	"email": "0x2ae86d6d747702b3b2c81811cd2b39875e8fa6b780ee4a207bdc203a7860b535@id.worldcoin.org", 
  // if `profile` scope is included:
	"name": "World ID User",
	"given_name": "World ID",
	"family_name": "User"
}

The email field is set only for compatibility with apps that cannot function without it. Users cannot receive emails at this address, and it should be ignored when possible.

The sub field is the user's nullifier hash -- their unique identifier in the context of your app. A user's nullifier hash will be different for each app they use.

You can information about a user's World ID Credentials in the https://id.worldcoin.org/beta object. Use the credential_type field to determine whether the user has been Orb-verified or not.