isHuman by lemma.id
Stop the same abuser
from coming back as a new account.
Require one verified human behind high-risk accounts — without storing ID documents or running KYC yourself.
Built for platforms where account rotation is the attack. Ticketing and presale drops, marketplaces, gaming, free trials, rewards — anywhere the next account is almost free.
Example
A scalper creates 500 accounts. You ban 200. Tomorrow they're back with new emails, SIMs, and proxies. Recognizing the same lemma.id helps with continuity — it doesn't stop someone from making another. Require a human proof, and coming back means identity verification again.
How lemma.id builds trust
One integration, three levels of proof
Start with lemma.id continuity. Add a presence proof when you need the holder at the device. Step up to a human proof only where one person must mean one account.
lemma.id
The continuous thing. Recognize the same returning lemma.id with a stable, site-private PPID. Good for trying the integration — but anyone can create another lemma.id, so this alone won't stop repeat abusers.
Presence proof
A fresh passkey at presentation signing shows the holder is at the device right now. Your backend gets a signed proof it can trust, with no KYC data on your servers.
Human proof
One account per verified human. A ban actually costs the abuser something. Use this when new-account rotation is the attack you're fighting.
For your real users
Already verified? No ceremony on your site.
A user who already has a human proof anywhere on the network clears your gate instantly — no ID check, no upload. Most fraud tools cost conversion; this one can improve it for returning verified users.
Why teams choose lemma.id
The gap between login and KYC
Login tells you which account signed in. Bot tools flag suspicious sessions. Neither proves two accounts are the same person. Human proofs fill that gap — privately, on your own backend.
| lemma.id + your site | Auth0 / Google SSO | Direct KYC on your stack | |
|---|---|---|---|
| Your servers store | human + ~80-char PPID |
Email, name, shared sub |
ID images, name, DOB, reports |
| Cross-site linkability | Different PPID per site | Same user ID across apps | You own the identity store |
| Return-visit checks | Local, no lemma.id call | Server token validation | Vendor re-query or re-verify |
| Ban survives rotation requires human proofs |
Block the human root, not just the email | Attacker rotates email or OAuth account | Strong, but you run KYC |
How it works
Bind, detect, enforce
lemma.id doesn't replace your login, fraud model, or moderation queue. It gives those systems something durable when someone has to go.
Bind
Tie the user to a site-private PPID. lemma.id means “same identity object.” Human proof means “same verified person.”
Detect
Your fraud and moderation tools still decide who's bad. lemma.id makes the consequence follow the person, not the email.
Enforce
Block the PPID or demand fresh verification. Once human proofs are required, a new email or SIM doesn't buy a clean slate.
Before
Bot detected → account banned → attacker rotates email, SIM, or proxy → new account, free
With human proofs
Bot detected → account tied to verified human → PPID blocked → must pass fresh IDV to return
Verifiable audit stamps
Prove a verified human did it, later
Stamp a checkout, post, or moderation call with an offline-verifiable proof. Evidence stays in your systems — re-check years later without calling lemma.id.
Stamp at the action
The SDK's stamp() helper attaches a signed credential to any event your backend records.
Verify offline
Same local verifier you use at signup. No network call on audit review day.
Your data, your systems
lemma.id doesn't store your logs. Useful for chargebacks, regulators, and “human or agent?” questions.
Developer integration
Verify a signed presentation on your backend
Most users stay on lemma.id continuity, with a presence proof when you need the holder at the device. Where you need one human per account, require a human proof. Your backend verifies the presentation and never touches KYC data.
<script src="https://lemma.id/sdk/ishuman-verifier.js"></script>
<script>
const verifier = new IsHumanVerifier({ siteId: 'app.example.com' });
const { ok, presentation } = await verifier.verifyForBackend({
autoProvision: true,
requiredAssurance: 'ishuman',
});
if (!ok) throw new Error('not_verified');
await fetch('/api/signup', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify({ presentation }),
});
</script>
Product boundaries
What lemma.id is not
It sits between login, fraud detection, and identity verification. It doesn't replace any of them.
Not bot detection
Finding suspicious behavior is your fraud stack's job. lemma.id makes the ban stick once you've decided.
Not a global identity
Every site gets its own PPID. No shared identifier follows people across the web.
Not an identity store you run
Your servers hold a verdict and a PPID. No ID documents, names, or dates of birth.
Add isHuman to your site
The next time you ban someone, make it stick. A script tag and a backend check.