Developer Documentation

Everything you need to integrate Lemma into your platform

/

Welcome to Lemma

Lemma provides passwordless authentication with credentials that verify locally in the browser. No server calls for verification, no passwords to manage, no sessions to track.

Local Verification

Credentials are cryptographically verified in the browser using Ed25519 signatures. Your servers never handle auth traffic.

Wallet-Based Identity

Users control their credentials in a browser-based wallet protected by passkeys. No accounts, no passwords.

Privacy-First

Pairwise identifiers (PPIDs) prevent cross-site tracking. Users are pseudo-anonymous across different sites.

Works Offline

Once credentials are issued, verification works entirely offline. Perfect for edge computing.

Quick Start

Get Lemma running on your site in 3 steps:

1. Add the SDK

HTML
<script src="https://lemma.id/static/js/lemma-wallet.js"></script>

2. Initialize the Wallet

JavaScript
const wallet = new LemmaWallet({ siteId: 'your-site-id', apiKey: 'your-api-key' }); await wallet.init();

3. Authenticate Users

JavaScript
// Start wallet redirect flow await wallet.startRedirectFlow({ returnUrl: window.location.href }); // On return, check for credentials const result = await wallet.checkRedirectReturn(); if (result.authenticated) { const ppid = await wallet.derivePPID(); console.log('User authenticated:', ppid); }
Need an API Key?

Register your site at lemma.id/developer to get your API key.

How It Works

The Wallet Redirect Flow

When a user needs to authenticate:

  1. Your site redirects to lemma.id/wallet/unlock
  2. User unlocks their wallet with a passkey
  3. Lemma redirects back with an encrypted credential in the URL
  4. Your site decrypts and verifies the credential locally
  5. User is authenticated - no server calls needed

Credential Verification

Credentials are W3C Verifiable Credentials with Ed25519 signatures:

JavaScript
// Verify a credential locally const isValid = await wallet.verifyCredential(credential); // The SDK handles: // - Ed25519 signature verification // - Expiration checking // - Revocation status (synced hourly)

Pairwise Identifiers (PPIDs)

PPIDs are site-specific user identifiers derived from:

Formula
PPID = HMAC-SHA256(wallet_secret, site_domain)

This means:

  • Each user has a unique, stable identifier on your site
  • The same user has different PPIDs on different sites
  • Sites cannot correlate users across domains