Wallet Redirect Flow
How the authentication redirect works
/
Authentication Flow
Lemma uses a redirect-based authentication flow similar to OAuth, but simpler:
- User clicks "Sign in with Lemma" on your site
- SDK redirects to
lemma.id/wallet/unlock - User authenticates with their passkey
- Lemma redirects back to your
returnUrl - SDK decrypts credential from URL fragment
- Credential is verified locally before your app performs any backend session/auth binding it requires
Starting the Flow
JavaScript
await wallet.unlockWithRedirect({
returnUrl: window.location.href // Where to return after auth
});
Handling the Return
JavaScript
const result = await wallet.checkRedirectReturn();
if (result.authenticated) {
// User successfully authenticated
const ppid = await wallet.derivePPID();
const credentials = await wallet.getCredentials();
// Update your UI
showLoggedInState(ppid);
} else if (result.error) {
// Handle error
console.error('Auth failed:', result.error);
}
Security
End-to-End Encryption
Credentials are encrypted with key material derived from your site's domain. If a URL is intercepted, unrelated sites should not be able to decrypt the credential payload.