Verify
Verify real humans without handling identity.
Human Gateway Verify lets partners confirm that a user completed a proof-of-human flow for a specific project/action context, without exposing raw World ID proof internals or unnecessary personal identity data.
What Verify is
Verify is for product moments where you need to know that a user is a real human for a specific action, but you do not need Human Gateway to manage an auth session.
A Verify action belongs to a Human Gateway project. Partners launch Verify from the frontend SDK and should persist durable state only after receiving a valid signed backend callback.
When to use Verify
Use Verify for anti-sybil checks, voting, claim gating, signup abuse prevention, community access, or other product actions where humanity is useful but a Human Gateway auth session is not required.
Verify use cases
Good fit for Verify
- Signup abuse prevention
- One-human voting or polling
- Claim, reward, waitlist, or invite gating
- Community access checks
- Anti-sybil product actions
- Human-only feature unlocks
Not a fit by itself
- KYC
- Civil identity verification
- Sanctions screening
- Age verification
- Legal compliance replacement
- Full account/session managementConfigure frontend values
Store your public project and Verify action values in environment variables. They are not callback secrets, but keeping them configurable reduces accidental exposure and makes sandbox and production setups easier to manage.
Frontend environment variables
NEXT_PUBLIC_HG_PROJECT_ID=project_xxx
NEXT_PUBLIC_HG_VERIFY_ACTION_KEY=hg_verify_action_key_xxxRun Verify with the SDK
Launch Verify directly from a user action such as a button click. Browsers may block popups opened after delayed promises, timers, or background tasks.
Verify example
import { HumanGateway } from "@human-gateway/sdk";
const hg = new HumanGateway({
projectId: process.env.NEXT_PUBLIC_HG_PROJECT_ID!,
environment: "production",
});
const result = await hg.verify({
actionKey: process.env.NEXT_PUBLIC_HG_VERIFY_ACTION_KEY!,
});
if (result.verified_human) {
// Update UI immediately.
// Persist durable verified state only after your backend
// receives and verifies the signed callback.
}Optional frontend callbacks
Frontend callbacks help update product UX, analytics, loading states, and retry messaging. They should not replace signed backend callbacks for durable access decisions.
Verify with SDK callbacks
const result = await hg.verify({
actionKey: process.env.NEXT_PUBLIC_HG_VERIFY_ACTION_KEY!,
onOpen: () => {
console.log("Human Gateway Verify opened");
},
onSuccess: (result) => {
console.log("Human Gateway Verify completed", result);
},
onError: (error) => {
console.error("Human Gateway Verify failed", error.code);
},
});Verify result
The SDK returns a frontend result for immediate UX. Treat this as a client-side signal, not your durable backend source of truth.
Verify result
{
"success": true,
"verified_human": true,
"verification_level": "orb",
"unique_for_partner": true,
"already_verified": false,
"project_id": "project_xxx"
}verified_humanindicates whether the flow completed successfully.verification_levelindicates the World ID verification level returned for this proof. It can bedevice,document,secure_document,orb, ornull.unique_for_partnerindicates whether this is a new partner-scoped human for that project/action context.already_verifiedhelps your UI handle returning users gracefully.
Signed callback
After Verify completes, Human Gateway can send a signed verification.completed callback to your backend. Verify the signature, timestamp, event, and project before persisting state.
verification.completed
{
"event_id": "evt_xxx",
"event": "verification.completed",
"success": true,
"verified_human": true,
"verification_level": "orb",
"unique_for_partner": true,
"already_verified": false,
"project_id": "project_xxx",
"action": "hg_verify_action_key_xxx",
"created_at": "2026-07-01T00:00:00.000Z"
}Continue with the callbacks guide for raw body handling, signature verification, timestamp validation, and idempotency.
Recommended product flow
Verify flow
1. User clicks "Verify with Human Gateway".
2. Partner frontend calls hg.verify({ actionKey }).
3. Human Gateway opens a hosted Verify flow.
4. User completes World ID proof.
5. Partner frontend receives a UX result.
6. Human Gateway sends a signed backend callback.
7. Partner backend verifies the callback.
8. Partner backend persists verified state.
9. Partner frontend hides the Verify button or shows a verified badge.Recommended UI states
A good Verify integration should handle success, retries, cancellation, blocked popups, and backend confirmation states clearly.
UI states
Recommended UI states
- Not verified
- Verifying
- Verified
- Already verified
- User closed popup
- Popup blocked
- Verification failed
- Waiting for backend confirmationPrivacy model
Human Gateway Verify is designed to avoid exposing raw World ID nullifiers, raw World ID proof data, biometric data, identity documents, government identity data, or unnecessary personal identity information.
Partners receive scoped operational results needed to update product behavior, such as verified_human, verification_level, unique_for_partner, already_verified, project_id, action information, event IDs, and timestamps.
Human Gateway only returns the verification level provided by World ID. It does not infer, upgrade, or claim a stronger verification level.
Partner responsibilities
Partners remain responsible for their own app security, user notices, consent flows, callback endpoints, secrets, data retention, product eligibility rules, and legal compliance.
Verify is not KYC, civil identity verification, sanctions screening, age verification, or a replacement for regulated compliance checks.
Production checklist
Verify checklist
Verify production checklist
- Create a Verify action in Partner Console
- Use an explicit verify actionKey
- Configure allowed frontend origins
- Configure a full backend callback URL
- Keep callback secrets backend-only
- Launch Verify from a direct user action
- Treat SDK result as immediate UX only
- Verify signed callback before persisting state
- Store callback event_id for idempotency
- Avoid collecting unnecessary personal dataNext steps
For login/session flows, continue with Auth. For installation and basic setup, review the Quickstart.