Lemma IAM Developer Docs

Integrate enterprise-grade authentication and access control into your platform in minutes

Quick Start (5 Minutes)

Get up and running with Lemma IAM in just a few minutes.

Step 1: Register Your Site

curl 
curl -X POST https://lemma.id/api/v1/sites/register \
  -H "Content-Type: application/json" \
  -d '{
    "site_domain": "yourcompany.com",
    "company_name": "Your Company Inc",
    "admin_email": "[email protected]",
    "plan": "starter"
  }'

Response: You'll receive your site_id and api_key. Save these!

Step 2: Define Permissions

curl 
curl -X POST https://lemma.id/api/v1/sites/YOUR_SITE_ID/permissions \
  -H "X-API-Key: YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "permission_id": "admin",
    "display_name": "Administrator",
    "scope": ["*"],
    "description": "Full access"
  }'

Step 3: Add to Your Site

HTML 
<script src="https://lemma.id/static/js/lemma-iam-sdk.js"></script>

<script>
const lemmaIAM = new LemmaIAM({
    apiKey: 'YOUR_API_KEY',
    siteId: 'YOUR_SITE_ID'
});

// Check if user has access
const hasAccess = await lemmaIAM.verifyAccess(
    '/admin/users', 
    'read'
);

if (hasAccess) {
    // Show protected content
} else {
    // Redirect to access request
}
</script>

โœ… Done! You now have enterprise-grade IAM with microsecond verification.

Key Features

โšก 1,000x Faster

31-182ยตs verification vs 200-500ms for Auth0. Client-side verification eliminates API calls.

๐Ÿ’ฐ 67% Cheaper

$0.023/MAU vs $0.07/MAU for Auth0. Client-side compute offloads costs to users.

๐Ÿ”’ Cryptographically Secure

Ed25519 signatures (unforgeable), OPRF revocation (privacy-preserving), AES-256-GCM encryption.

๐ŸŒ Works Offline

Credentials verified in browser. No internet required after initial setup.

๐Ÿ” Privacy-Preserving

OPRF-based revocation means server cannot track which credentials are being checked.

๐Ÿ“ง Email-Based Auth

No passwords to manage. Users confirm via email, get cryptographic credentials.

How It Works

Architecture Overview

  1. User requests access โ†’ Enters email on your site
  2. Email confirmation โ†’ Lemma sends confirmation email
  3. Permission lemma issued โ†’ Ed25519-signed credential
  4. Stored in browser wallet โ†’ AES-256-GCM encrypted
  5. Verification (client-side) โ†’ 0.36ยตs WebAssembly
  6. Background checks โ†’ Continuous nonce verification
  7. Revocation (if needed) โ†’ OPRF + Bloom filter

Authentication Flow

Sequence Diagram 
User โ†’ Your Site: "Login with email"
Your Site โ†’ Lemma API: POST /api/v1/iam/request-access
Lemma โ†’ User Email: Confirmation link
User โ†’ Lemma: Click confirmation
Lemma โ†’ User Browser: Permission lemma (Ed25519 signed)
User Browser โ†’ Local Storage: Store encrypted credential
User โ†’ Your Site: Return with credential
Your Site โ†’ Client (0.36ยตs): Verify Ed25519 signature
Client โ†’ Your Site: โœ… Access granted

Every 5 minutes (background):
Your Site โ†’ Lemma API: Verify with fresh nonce
Lemma โ†’ Your Site: โœ… Still valid (or โŒ revoked)

API Reference - Sites

POST /api/v1/sites/register

Register a new site to use Lemma IAM

Request Body:

JSON 
{
  "site_domain": "yourcompany.com",
  "company_name": "Your Company Inc",
  "admin_email": "[email protected]",
  "plan": "starter"
}

Response:

{
  "success": true,
  "site_id": "site_abc123",
  "api_key": "lemma_api_xyz789",
  "issuer_did": "did:lemma:a1b2c3...",
  "crypto_engine": "rust_ed25519_oprf"
}

API Reference - Permissions

POST /api/v1/sites/{site_id}/permissions

Create a permission definition

Request Body:

{
  "permission_id": "admin",
  "display_name": "Administrator",
  "scope": ["*"],
  "description": "Full access to all resources"
}

Scope Examples:

  • "*" - Full access to everything
  • "posts:*" - All actions on posts
  • "posts:read" - Read-only on posts
  • "/admin/*:*" - All actions on /admin paths

API Reference - User Access

POST /api/v1/iam/request-access

User requests access (sends email confirmation)

Request Body:

{
  "site_id": "site_abc123",
  "user_email": "[email protected]",
  "permission_level": "admin",
  "redirect_url": "https://yourcompany.com/dashboard"
}

Flow:

  1. User enters email on your site
  2. Your site calls this API
  3. Lemma sends confirmation email to user
  4. User clicks link
  5. Permission lemma issued to user's browser
  6. User redirected back to your site
  7. Verification happens automatically

API Reference - Verification

POST /api/v1/auth/verify

Verify user has access to resource (31-182ยตs)

Request Body:

{
  "site_id": "site_abc123",
  "user_did": "did:lemma:user456",
  "resource": "/admin/users",
  "action": "read",
  "user_lemmas": [...]  // From user's wallet
}

Response:

{
  "success": true,
  "has_access": true,
  "verification_time_us": 87.3,
  "crypto_engine": "rust_ed25519_oprf"
}

JavaScript SDK

Installation

HTML 
<script src="https://lemma.id/static/js/lemma-iam-sdk.js"></script>

Basic Usage

JavaScript 
// Initialize
const lemmaIAM = new LemmaIAM({
    apiKey: 'YOUR_API_KEY',
    siteId: 'YOUR_SITE_ID'
});

// Check access (client-side, 0.36ยตs)
const result = await lemmaIAM.verifyAccess(
    '/admin/users',  // resource
    'read'           // action
);

if (result.hasAccess) {
    showAdminPanel();
} else {
    redirectToAccessRequest();
}

Protect Routes

// Express.js example
app.get('/admin/*', async (req, res, next) => {
    const hasAccess = await lemmaIAM.verifyAccess(
        req.path,
        'read'
    );
    
    if (hasAccess) {
        next();
    } else {
        res.status(403).send('Access denied');
    }
});

Python SDK

โš ๏ธ Coming Soon: Python SDK is in development. For now, use direct API calls.

Direct API Usage (Current)

Python 
import requests

# Verify access
response = requests.post('https://lemma.id/api/v1/auth/verify', 
    json={
        'site_id': 'site_abc123',
        'user_did': 'did:lemma:user456',
        'resource': '/admin/users',
        'action': 'read',
        'user_lemmas': user_credentials
    }
)

result = response.json()
has_access = result['has_access']

Support & Resources

๐Ÿ“ง Email Support

[email protected]
Response within 24 hours

๐Ÿ“š Guides

Pricing
Terms of Service
Privacy Policy

๐Ÿ”ง Status

System Health
99.9% uptime SLA

๐Ÿ’ฌ Community

GitHub Issues
Developer Discord (coming soon)

Complete Examples

Protect Admin Dashboard

// 1. User requests access
<form onsubmit="requestAccess(event)">
    <input type="email" id="userEmail" placeholder="Enter your email">
    <button type="submit">Request Access</button>
</form>

<script>
async function requestAccess(e) {
    e.preventDefault();
    const email = document.getElementById('userEmail').value;
    
    await fetch('https://lemma.id/api/v1/iam/request-access', {
        method: 'POST',
        headers: { 'Content-Type': 'application/json' },
        body: JSON.stringify({
            site_id: 'YOUR_SITE_ID',
            user_email: email,
            permission_level: 'admin',
            redirect_url: window.location.href
        })
    });
    
    alert('Check your email to complete setup!');
}
</script>

// 2. Verify access on page load
<script>
async function checkAccess() {
    const lemmaIAM = new LemmaIAM({
        apiKey: 'YOUR_API_KEY',
        siteId: 'YOUR_SITE_ID'
    });
    
    const result = await lemmaIAM.verifyAccess('/admin', 'read');
    
    if (result.hasAccess) {
        document.getElementById('admin-panel').style.display = 'block';
    } else {
        window.location.href = '/request-access';
    }
}

window.addEventListener('DOMContentLoaded', checkAccess);
</script>

Performance

Operation Lemma Auth0
Access Verification 31-182ยตs 200-500ms
Speed Improvement 1,000-2,700x faster Baseline
Offline Capable โœ“ Planned โœ— No

โ„น๏ธ Note: Current implementation uses server-side Rust verification (31-182ยตs). Client-side WebAssembly verification (0.36ยตs, 500,000x faster) is in development for Q1 2026.

Ready to Get Started?

Start with our free tier - no credit card required

Start Free