Skip to main content
@worldcoin/idkit-core is the lowest-level JavaScript/TypeScript IDKit SDK. Use it when you want full control over UI and state management or when you’re not using React.

Install

Entry points

  • IDKit.request(config) for uniqueness proofs
  • IDKit.requestWithInviteCode(config) for invite-code mode
  • orbLegacy, secureDocumentLegacy, documentLegacy, selfieCheckLegacy for presets
Each entry point returns a builder. Finalize it with .preset(...).

Request config

Generate rp_context in your backend only. Never expose your RP signing key in client code.

Presets

Polling and status

After .preset(...), you get an IDKitRequest object:
  • connectorURI
  • requestId
  • pollOnce()
  • pollUntilCompletion({ pollInterval, timeout })
  • getDebugReport()
When running inside World App, native transport is used and connectorURI may be empty. Outside World App, connectorURI is the URL you render as a QR code.

Debug report

Both IDKitRequest and IDKitInviteCodeRequest expose getDebugReport(): IDKitDebugReport with diagnostics for the latest request state.
IDKitDebugReport fields: version, package_version, transport ("bridge" | "mini_app"), generated_at, and optional request_id, request_payload, response_payload, and mini_app (MiniAppDebugInfo). For bridge transport response_payload is the decrypted plaintext response string once the request completes; for native (mini_app) transport it is a structured debug object. The mini_app object holds World App native-transport diagnostics: verify_version, platform, send_channel, minikit_subscribed, and response_channel.
setDebug(true) (or window.IDKIT_DEBUG = true) and isDebug() toggle verbose console.debug logging. This is separate from getDebugReport(), which works regardless.

Invite-code mode

Use IDKit.requestWithInviteCode(config) to open a landing page that displays both an invite code and a QR code. Validation, the returned Status shape, and the poll loop are identical to IDKit.request. See Invite-code mode for when to use it.
IDKitInviteCodeRequest exposes:
  • connectorURI
  • expiresAt
  • requestId
  • pollOnce()
  • pollUntilCompletion({ pollInterval, timeout })
  • getDebugReport()

Migrating from QR / connect-URL

The config object is unchanged. The connectorURI now includes &c=<code>&a=<app_id> params; use it alongside expiresAt in your UI. Polling, proof verification, and nullifier storage stay the same.

Server-side helpers

Use subpath exports on your backend:
signRequest should only run in trusted server environments. See RP Signatures for the full algorithm and test vectors.