Auth
Sign in verified humans privately.
Human Gateway Auth lets partners add a hosted verified-human login flow with partner-scoped users and auth sessions, without handling raw World ID proof internals or unnecessary identity data.
What Auth is
Auth is for product flows where you need a private verified-human login or session reference. It creates a partner-scoped Human Gateway user reference and an auth session reference after a successful hosted proof flow.
Human Gateway Auth does not replace your full application account system unless you choose to build your app around it. Partners remain responsible for their own app session, access rules, logout behavior, data retention, and compliance requirements.
When to use Auth
Use Auth when you need more than a one-time human check. Auth is useful for sign-in, gated areas, dashboards, communities, or product areas where a partner-scoped verified-human session is useful.
Auth use cases
Good fit for Auth
- Sign in with verified-human proof
- Human-only account access
- Private login without collecting identity documents
- Partner-scoped verified-human sessions
- Access gating for dashboards or communities
- Re-authentication for sensitive product actions
Not a fit by itself
- KYC
- Civil identity verification
- Sanctions screening
- Age verification
- AML checks
- Full regulated compliance replacementConfigure frontend values
Store your public project and Auth action values in environment variables. They are not callback secrets, but keeping them configurable reduces accidental exposure and makes sandbox and production setups easier to manage.
Frontend environment variables
NEXT_PUBLIC_HG_PROJECT_ID=project_xxx
NEXT_PUBLIC_HG_AUTH_ACTION_KEY=hg_auth_action_key_xxxRun Auth with the SDK
Launch Auth directly from a user action such as a button click. Browsers may block popups opened after delayed promises, timers, or background tasks.
Auth example
import { HumanGateway } from "@human-gateway/sdk";
const hg = new HumanGateway({
projectId: process.env.NEXT_PUBLIC_HG_PROJECT_ID!,
environment: "production",
});
const result = await hg.auth({
actionKey: process.env.NEXT_PUBLIC_HG_AUTH_ACTION_KEY!,
});
if (result.success && result.verified_human) {
// Update UI immediately.
// Reconcile durable app access from your backend callback flow.
}Optional frontend callbacks
Frontend callbacks help update loading states, success screens, retry messaging, and analytics. They should not replace signed backend callbacks for durable access decisions.
Auth with SDK callbacks
const result = await hg.auth({
actionKey: process.env.NEXT_PUBLIC_HG_AUTH_ACTION_KEY!,
onOpen: () => {
console.log("Human Gateway Auth opened");
},
onSuccess: (result) => {
console.log("Human Gateway Auth completed", result);
},
onError: (error) => {
console.error("Human Gateway Auth failed", error.code);
},
});Auth result
The SDK returns a frontend result for immediate UX. Treat this as a client-side signal, not your durable backend source of truth.
Auth result
{
"success": true,
"event": "auth.completed",
"verified_human": true,
"verification_level": "orb",
"partner_user_id": "puser_xxx",
"auth_session_id": "authsess_xxx",
"project_id": "project_xxx",
"expires_at": "2026-08-01T00:00:00.000Z"
}partner_user_idis a Human Gateway user reference scoped to your partner/project context.auth_session_idreferences the Human Gateway auth session created by the hosted flow.expires_atindicates when the Human Gateway auth session expires.verification_levelcan bedevice,document,secure_document,orb, ornull. Human Gateway only returns the value provided by World ID.
Signed callback
After Auth completes, Human Gateway can send a signed auth.completed callback to your backend. Verify the signature, timestamp, event, and project before granting durable app access or updating your database.
auth.completed
{
"event_id": "evt_xxx",
"event": "auth.completed",
"success": true,
"verified_human": true,
"verification_level": "orb",
"project_id": "project_xxx",
"partner_id": "partner_xxx",
"partner_user_id": "puser_xxx",
"auth_session_id": "authsess_xxx",
"action": "hg_auth_action_key_xxx",
"expires_at": "2026-08-01T00:00:00.000Z",
"created_at": "2026-07-01T00:00:00.000Z"
}Auth callback handling
if (callback.event === "auth.completed") {
const payload = callback.payload;
if (payload.verified_human === true) {
// Store or reconcile payload.partner_user_id.
// Store payload.auth_session_id if useful for audit or session mapping.
// Grant app access according to your own backend session model.
}
}Backend environment variables
HG_PROJECT_ID=project_xxx
HG_CALLBACK_SECRET=your_callback_secretContinue with the callbacks guide for raw body handling, signature verification, timestamp validation, and idempotency.
Recommended auth flow
Auth flow
1. User clicks "Sign in with Human Gateway".
2. Partner frontend calls hg.auth({ actionKey }).
3. Human Gateway opens a hosted Auth flow.
4. User completes World ID proof.
5. Human Gateway creates a partner-scoped auth session.
6. Partner frontend receives a UX result.
7. Human Gateway sends a signed backend callback.
8. Partner backend verifies the callback.
9. Partner backend links or reconciles the partner_user_id.
10. Partner grants app access according to its own session model.Session model
Human Gateway Auth creates a Human Gateway auth session reference. Your app may still create and control its own session, cookie, token, or user access state after your backend verifies the signed callback.
Session model
Human Gateway Auth result
- partner_user_id: stable partner-scoped user reference
- auth_session_id: Human Gateway session reference
- expires_at: Human Gateway session expiration timestamp
- project_id: Human Gateway project context
- verified_human: proof-of-human result
- verification_level: World ID verification level returned for this proof
Partner app session
- created and controlled by the partner
- stores only what the partner needs
- should be granted after valid backend callback verification
- should respect the partner's own logout, expiration, and access rulesLogout and expiration
Partners should define how their own app session expires and how logout behaves. Clearing the partner app session is separate from any Human Gateway session reference you store for audit or reconciliation.
Partner logout example
// Partner logout should clear the partner app session.
// If your integration also tracks Human Gateway auth_session_id,
// reconcile or revoke it according to your product requirements.
await fetch("/api/logout", {
method: "POST",
});Recommended UI states
A good Auth integration should handle success, cancellation, popup blocking, backend confirmation, expiration, and logout clearly.
UI states
Recommended UI states
- Signed out
- Opening Human Gateway Auth
- Waiting for proof
- Auth completed
- Waiting for backend confirmation
- Signed in
- User closed popup
- Popup blocked
- Auth failed
- Session expiredPrivacy model
Human Gateway Auth is designed to avoid exposing raw World ID nullifiers, raw World ID proof data, biometric data, identity documents, government identity data, or unnecessary personal identity information.
Partners may receive scoped operational fields such as verified_human, partner_user_id, auth_session_id, project_id, action information, expiration timestamps, event IDs, and callback timestamps.
verified_human, verification_level, partner_user_id, auth_session_id, project_id, action information, expiration timestamps, event IDs, and callback timestamps.Human Gateway does not infer, upgrade, or claim a stronger verification level than the value returned by World ID.
Partner responsibilities
Partners remain responsible for their own application account model, session cookies or tokens, authorization logic, user notices, consent flows, callback endpoints, secrets, data retention, and legal compliance.
Auth is not KYC, civil identity verification, sanctions screening, age verification, AML, or a replacement for regulated compliance checks.
Production checklist
Auth checklist
Auth production checklist
- Create an Auth action in Partner Console
- Use an explicit auth actionKey
- Configure allowed frontend origins
- Configure a full backend callback URL
- Keep callback secrets backend-only
- Launch Auth from a direct user action
- Treat SDK result as immediate UX only
- Verify signed auth.completed callback before granting durable access
- Store callback event_id for idempotency
- Decide how partner_user_id maps to your app user/session model
- Handle session expiration and logout clearly
- Avoid collecting unnecessary personal dataNext steps
For one-time proof-of-human checks, continue with Verify. For installation and basic setup, review the Quickstart.