@worldcoin/idkit-core is the lowest-level JavaScript/TypeScript IDKit SDK.
Use it when you want full control over UI and state management or when you’re not using React.
Install
Entry points
IDKit.request(config)for uniqueness proofsIDKit.requestWithInviteCode(config)for invite-code modeorbLegacy,secureDocumentLegacy,documentLegacy,selfieCheckLegacyfor presets
.preset(...).
Request config
Presets
Polling and status
After.preset(...), you get an IDKitRequest object:
connectorURIrequestIdpollOnce()pollUntilCompletion({ pollInterval, timeout })getDebugReport()
When running inside World App, native transport is used and
connectorURI may be empty.
Outside World App, connectorURI is the URL you render as a QR code.Debug report
BothIDKitRequest and IDKitInviteCodeRequest expose getDebugReport(): IDKitDebugReport with diagnostics for the latest request state.
IDKitDebugReport fields: version, package_version, transport ("bridge" | "mini_app"), generated_at, and optional request_id, request_payload, response_payload, and mini_app (MiniAppDebugInfo). For bridge transport response_payload is the decrypted plaintext response string once the request completes; for native (mini_app) transport it is a structured debug object. The mini_app object holds World App native-transport diagnostics: verify_version, platform, send_channel, minikit_subscribed, and response_channel.
setDebug(true) (or window.IDKIT_DEBUG = true) and isDebug() toggle verbose console.debug logging. This is separate from getDebugReport(), which works regardless.Invite-code mode
UseIDKit.requestWithInviteCode(config) to open a landing page that displays both an invite code and a QR code. Validation, the returned Status shape, and the poll loop are identical to IDKit.request. See Invite-code mode for when to use it.
IDKitInviteCodeRequest exposes:
connectorURIexpiresAtrequestIdpollOnce()pollUntilCompletion({ pollInterval, timeout })getDebugReport()
Migrating from QR / connect-URL
connectorURI now includes &c=<code>&a=<app_id> params; use it alongside expiresAt in your UI. Polling, proof verification, and nullifier storage stay the same.
Server-side helpers
Use subpath exports on your backend:signRequest should only run in trusted server environments. See RP Signatures for the full algorithm and test vectors.