Human proofs for abuse-resistant accounts

Stop the same abuser
from coming back as a new account.

Human proofs let your site require one verified human behind high-risk accounts — without storing ID documents or building a KYC stack. lemma.id is the private proof layer underneath: passkey continuity for normal users, site-private PPIDs, and step-up to human proofs when bans need to survive email, SIM, device, and IP rotation.

Add to Your Site See the Demo
User-held proof wallet
Step up to isHuman when risk rises
No ID documents on your servers

Built for platforms where account rotation is the attack — marketplaces, ticketing, gaming, social apps, free trials, rewards programs, and any site where one bad actor can cheaply create the next account.

Example

A scalper creates 500 accounts. Your fraud system catches 200 and bans them. Tomorrow, the same operator returns with new emails, SIMs, and proxies. Passkey-only binding recognizes the same wallet on return — useful for continuity, but not Sybil-resistant. When you require human proofs, the abusive operator must pass fresh identity verification to come back; email, device, and IP rotation no longer mint a clean account.

Assurance levels

One integration. Three assurance tiers.

Start with passkey continuity for low-friction onboarding. Add signed backend verification when you need to trust the request. Require human proofs when your policy needs one verified human behind the account — that is where durable ban resistance lives.

Passkey continuity

Recognize the same returning wallet with a stable site-private PPID. Good for continuity and developer preview — not Sybil-resistant by itself; attackers can create another passkey wallet.

Signed presentation

Your backend verifies a signed proof from the user's wallet before creating an account or accepting a risky action. No KYC data lands on your servers.

isHuman

The enforcement tier: Sybil resistance, one account per human, abuse-resistant signup, bans that survive cheap credential rotation. Require when account rotation is the attack.

Why teams choose lemma.id

Why customers need human proofs + lemma.id

Login providers tell you which account signed in. Bot tools tell you which session looks suspicious. Human proofs give you the missing enforcement handle when one account must mean one human. lemma.id keeps that proof private, reusable, and locally verifiable — without turning your backend into an identity database.

lemma.id + your site Auth0 / Google SSO Direct KYC on your stack
Your servers store human + ~80-char PPID Email, name, shared sub ID images, name, DOB, reports
Cross-site linkability Different PPID per site Same user ID across apps You own the identity store
Return-visit checks Local — no lemma.id call Server token validation Vendor re-query or re-verify
Why you need it Private PPID binding; passkey for continuity, human proofs for Sybil resistance Great for login, weak against new accounts Strong signal, high compliance and breach burden
Same human across accounts
requires human proofs
Person-root binding — one human, one PPID New email = new account Strong, but you run KYC
Ban survives rotation
requires human proofs
Block the human root, not just the email Attacker rotates email or OAuth account Strong, but you run KYC

Full trust & data comparison →

How it works

Bind, detect, enforce

lemma.id does not replace your login, fraud model, or moderation queue. It gives those systems something durable to act on: a site-private proof binding that can step up to human proofs when uniqueness matters.

1

Bind

Bind your user record to a site-private PPID. For normal continuity, that PPID represents the same wallet. With human proofs, it represents the same verified human.

2

Detect

Your fraud, moderation, and abuse tooling flags bad behavior. lemma.id does not decide who is bad — with isHuman, it makes the consequence stick across new accounts.

3

Enforce

Block the site-private PPID, raise assurance to human proofs, or require fresh IDV. With human proofs required, swapping email, SIM, device, or IP no longer gives an abuser a clean slate.

Before

Bot detected → account banned → attacker rotates email, SIM, or proxy → new account, free

With human proofs required

Bot detected → account tied to verified human root → site-private PPID blocked → must pass fresh IDV to return

See the full verification flow and data model →

Developer integration

Integrate with a signed presentation

Most users start with passkey continuity — no IDV. Require isHuman on signup or high-risk actions when one account must map to one human. Signed presentations let your backend verify without storing KYC data.

Recommended signup gate (isHuman when Sybil resistance matters)
<script src="https://lemma.id/sdk/ishuman-verifier.js"></script>
<script>
  const verifier = new IsHumanVerifier({ siteId: 'app.example.com' });
  const { ok, presentation } = await verifier.verifyForBackend({
    autoProvision: true,
    requiredAssurance: 'ishuman',
  });
  if (!ok) throw new Error('not_verified');
  await fetch('/api/signup', {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ presentation }),
  });
</script>
View integration docs See the demo

Product boundaries

What lemma.id is not

Customers need to know exactly where lemma.id fits. It is the proof and enforcement layer between login, fraud detection, and identity verification — not a replacement for all three.

Not bot detection

Your tools find suspicious behavior. With human proofs, lemma.id makes the consequence stick across new accounts.

Not a global public identity

Each site gets its own stable PPID per user — not one shared identifier across the whole web.

Not an identity store you run

Your servers hold a verdict and a PPID — not ID documents, names, or dates of birth.

What it is: Human proofs for one verified human per account when that matters; lemma.id as the user-held proof wallet underneath — passkey continuity first, step up to human proofs when bans need to stick, without becoming an identity database. Read more about the approach →

Learn more

Each page goes deeper on one aspect — without repeating the full homepage story.

Trust & data model About the approach Integration docs Live demo Pricing For IDV providers Privacy policy

Add isHuman to your site

Stop repeat abusers from returning as fresh accounts. lemma.id handles the private proof layer; isHuman is the assurance tier that makes bans stick.

Add to Your Site Watch Demo

Bind • Detect • Enforce