Sign in with World ID uses a different base API endpoint than the Developer Portal.
This page primarily describes options that are OIDC-compliant. We additionally support using access tokens as described in the OAuth2 standards. No actions can be taken on behalf of a user with OAuth2 access tokens, but you may retrieve the same information about a user as would be contained in an
id_token
. See below for details.OpenID Connect discovery
GET/.well-known/openid-configuration
Fetches the OpenID Connect discovery document.
Common Errors
method_not_allowed
: HTTP method is not allowed. Only GET and OPTIONS may be used
cURL
Response
Authorize
GET/authorize
Redirect your users to this page to begin the sign-in flow.
Required attributes
All attributes are formatted as URL query parameters.Parameter | Type | Description |
---|---|---|
response_type | string | Must be code for authorization code flow, id_token for implicit flow, or a space-separated combination of code , id_token , and token for hybrid flow. We generally recommend using the authorization code or implicit flows. |
scope | string | Space-separated list of the requested OIDC scopes. Must include openid , and may optionally include email and profile . |
client_id | string | The Client ID of your app. Get this from the Developer Portal. |
redirect_uri | string | URL the user will be redirected to after authentication. Must match one of your app’s configured redirect_uris . |
Optional attributes
Parameter | Type | Description |
---|---|---|
state | string | An opaque value used to maintain state between the request and the callback. |
nonce | string | Required when using the implicit flow. Used to prevent replay attacks. Should be randomly generated for each sign-in, and checked to ensure it’s unchanged after the callback. |
response_mode | string | Determines how the authorization code, ID token, and/or access token are returned. Must be one of query , fragment , or form_post . query is only supported for the authorization code flow. Defaults to query for authorization code flow, and fragment for all others. |
Common Errors
required
: A necessary attribute was not set. Required attributes are:response_type scope client_id redirect_uri
invalid_redirect_uri
: The provided redirect URI is invalid. Ensure you’ve set the correctredirect_uri
in the Developer Portal.
Request
Response - Authorization Code
Response - ID Token
Exchange Code
POST/token
Exchanges an authorization code for an id_token
for the given user.
Required attributes
Parameter | Type | Description |
---|---|---|
code | string | The authorization code to exchange. |
grant_type | string | The type of grant to exchange. Must be authorization_code . |
redirect_uri | string | The same redirect URI used in the /authorize request. |
Common Errors
method_not_allowed
: HTTP method is not allowed. Only POST and OPTIONS may be usedinvalid_content_type
: The provided content type is invalid, onlyapplication/x-www-form-urlencoded
is supportedunauthenticated
: The provided authorization token is invalid, try checking your credentialsinvalid_grant_type
: The provided grant type is invalid, onlyauthorization_code
is supportedrequired
: A necessary attribute was not set. Required attributes are:code
invalid_grant
: The authorization code was invalid, and may be expired. Try generating a new code via/authorize
cURL
Response
OAuth2
If you selectedtoken
as one of your response_types
for the /authorize
endpoint, you’ll receive an OAuth2 access token. Typically an access token would allow you to perform certain actions on a user’s behalf, but there are no actions to perform for a user in this case.
You can retrieve the same information about a user with an access token as you’d receive in an ID token. While we support this functionality for broader compatibility, we generally recommend using the authorization code or implicit flows, rather than the hybrid flow.
The endpoints below are only used with an OAuth2 access token.
Introspect
POST/introspect
Validates the given access token is active for the user.
For introspect, Basic Authentication is used. The
Authorization
header contains the word “Basic ”, followed by a base64 encoding of the “client_id:client_secret” values. You obtain your client_id (also called app_id) and client_secret from the Developer Portal.Required attributes
Parameter | Type | Description |
---|---|---|
token | string | The access token to validate. |
Common Errors
method_not_allowed
: HTTP method is not allowed. Only POST may be usedinvalid_content_type
: The provided content type is invalid, onlyapplication/x-www-form-urlencoded
is supportedrequired
: A necessary attribute was not set. Required attributes are:token
unauthenticated
: The authorization header is missing, please pass the Bearer authorization tokeninvalid_token
: The authorization token was invalid, and may be expired. Try generating a new token via/token
cURL
Response
Get User Info
POST/userinfo
Retrieves all user information, based on the approved scopes, with the given access token.
For userinfo, Bearer Authentication is used. The
Authorization
header contains the word “Bearer ”, followed by the access token returned from the /token
endpoint.Common Errors
method_not_allowed
: HTTP method is not allowed. Only GET, POST, and OPTIONS may be usedunauthenticated
: The authorization header is missing, please pass the Bearer authorization tokeninvalid_token
: The authorization token was invalid, and may be expired. Try generating a new token via/token
cURL
Response