Wallet Redirect Flow
How the authentication redirect works
/
Authentication Flow
Lemma uses a redirect-based authentication flow similar to OAuth, but simpler:
- User clicks "Sign in with Lemma" on your site
- SDK redirects to
lemma.id/wallet/unlock - User authenticates with their passkey
- Lemma redirects back to your
returnUrl - SDK decrypts credential from URL fragment
- Credential is verified locally (no server call)
Starting the Flow
JavaScript
await wallet.startRedirectFlow({
returnUrl: window.location.href, // Where to return after auth
permissions: ['basic'], // Optional: request permissions
prompt: 'login' // Optional: 'login' or 'consent'
});
Handling the Return
JavaScript
const result = await wallet.checkRedirectReturn();
if (result.authenticated) {
// User successfully authenticated
const ppid = await wallet.derivePPID();
const credentials = await wallet.getCredentials();
// Update your UI
showLoggedInState(ppid);
} else if (result.error) {
// Handle error
console.error('Auth failed:', result.error);
}
Security
End-to-End Encryption
Credentials are encrypted with a key derived from your site's domain. Even if the URL is intercepted, the credential cannot be decrypted by other sites.