Use Wallet Authentication as the primary auth flow. Do not use the Verify
command for login purposes.
Wallet Authentication provides native support for SIWE and it’s the recommended way to authenticate users in your mini app.
This provides your app with access to a User object that contains the user’s wallet address, username, and other information.
Using NextAuth you can easily create and manage sessions for your app. The starter template is already set up with NextAuth.
To extend this to other wallet providers, you simply need to trigger the wallet auth command and verify the response with verifySiweMessage.
Starting from World App 2.8.79 and higher, we support the standard SIWE
verification library.
Since the user can modify the client, it’s important to create the nonce in the backend. The nonce must be at least 8 alphanumeric characters in length.
app/api/nonce.ts
Copy
import {cookies} from "next/headers"; import {(NextRequest, NextResponse)} from "next/server";export function GET(req: NextRequest) { // Expects only alphanumeric characters const nonce = crypto.randomUUID().replace(/-/g, "");// The nonce should be stored somewhere that is not tamperable by the client// Optionally you can HMAC the nonce with a secret key stored in your environmentcookies().set("siwe", nonce, { secure: true });return NextResponse.json({ nonce });}
import { MiniKit, WalletAuthInput } from '@worldcoin/minikit-js'// ...const signInWithWallet = async () => { if (!MiniKit.isInstalled()) { return } const res = await fetch(`/api/nonce`) const { nonce } = await res.json() const {commandPayload: generateMessageResult, finalPayload} = await MiniKit.commandsAsync.walletAuth({ nonce: nonce, requestId: '0', // Optional expirationTime: new Date(new Date().getTime() + 7 * 24 * 60 * 60 * 1000), notBefore: new Date(new Date().getTime() - 24 * 60 * 60 * 1000), statement: 'This is my statement and here is a link https://worldcoin.com/apps', }) // ...
The returned message (in final payload) will include a signature compliant with ERC-191.
You’re welcome to use any third party libraries to verify the payloads for SIWE.
Finally, complete the sign in by verifying the response from World App in your backend. Here we check the nonce matches the one we created earlier, and
then verify the signature.
OAuth (Google, Apple, etc.): These providers are supported but it’s recommended to trigger this outside of the World App and then redirect back to your mini app with the access token worldapp://mini-app?app_id=appId&path=/handle-oauth?accessToken=....
Sign in with World ID: Not recommended as it doesn’t provide the user’s wallet address.