Login with Numira — integration manual
Standard OpenID Connect (Authorization Code + PKCE) where the Identity Provider is the user’s own wallet. Each app sees a different, unlinkable alias DID as the user’s sub.
1. Register
Create an app on the Apps page to get a client_id + client_secret and to register your redirect URI(s).
2. Discovery
https://api.stg.haratrust.io/v1/dsso/.well-known/openid-configuration
Lists the authorize / token / userinfo / jwks endpoints. PKCE S256 is required; id_tokens are signed EdDSA.
3. Send the user to authorize
Generate a PKCE code_verifier, stash it + a state in the user’s session, then redirect the browser to:
function(){throw Error("Attempted to call ISSUER() from the server but ISSUER is on the client. It's not possible to invoke a client function from the server, it can only be rendered as a Component or passed to props of a Client Component.")}/authorize
?client_id=<your-client-id>
&redirect_uri=<registered-uri>
&response_type=code
&scope=openid profile
&state=<csrf>
&code_challenge=<BASE64URL(SHA256(verifier))>
&code_challenge_method=S256
The gateway hosts the wallet‑QR page and, on approval, redirects to redirect_uri?code&state.
4. Exchange the code (server‑side)
POST function(){throw Error("Attempted to call ISSUER() from the server but ISSUER is on the client. It's not possible to invoke a client function from the server, it can only be rendered as a Component or passed to props of a Client Component.")}/token Content-Type: application/json
{ "grant_type":"authorization_code", "code":"<code>",
"code_verifier":"<verifier>", "client_id":"<id>",
"client_secret":"<secret>", "redirect_uri":"<same-uri>" }
Returns an EdDSA id_token. Verify its signature against https://api.stg.haratrust.io/v1/dsso/jwks, check iss/aud/exp, and use sub as the account key.
Note: the token endpoint currently expects a application/json body. Stock OIDC libraries POST form‑encoded — configure them to send JSON, or call /token directly. A form‑encoded parser is a pending platform update.
Try it
Run the live demo relying party: verify.stg.haratrust.io/oidc.
Full reference: docs/integration/decentralized-sso.md. Attribute‑based login (18+, verified human) uses /v1/zk/sessions.