Skip to content
This repository

If you have any questions about BrowserID, join our mailing list.

So, you want to use browserid to provide an awesome sign-in flow for your users, eh? You're three easy steps away:

1. Enable BrowserID

Include the BrowserID include.js library in your site by adding the following script tag to your pages <head> tag

<script src="" type="text/javascript"></script>

2. Identify the User

Instead of displaying a form on your site which takes a username and password, use the BrowserID JavaScript API when the user clicks your sign-in button: {
    if (assertion) {
        // This code will be invoked once the user has successfully
        // selected an email address they control to sign in with.
    } else {
        // something went wrong!  the user isn't logged in.

Upon a successful sign-in, you'll be called back with an assertion, a string containing a signed claim that proves the user is who they say they are.

NOTE: While completely optional, you might consider replacing your sign-in button with a pretty BrowserID button:

sign in button - redsign in button - bluesign in button - orangesign in button - greensign in button - grey

3. Verify the User's Identity

You must verify the assertion is authentic, and extract the user's email address from it. The easiest way to do these is to use the free verification service provided by BrowserID.

To use it, you send a request to with two POST parameters:

  1. assertion: The encoded assertion
  2. audience: The hostname and optional port of your site

IMPORTANT: this call used to be a GET. As of October 13th, 2011, it must be a POST.

The verifier will check the the assertion was meant for your site and is valid, here's an example:

$ curl -d "assertion=<ASSERTION>&audience=" ""
    "status": "okay",
    "email": "",
    "audience": "",
    "expires": 1308859352261,
    "issuer": ""

NOTE: You may choose to validate assertions on your own server. While a bit more complicated you can reduce your dependencies on others. Refer to the specification and the source for the reference validator.

Having completed the steps above, you can trust that the present user really owns the email address returned by the verifier. You don't need to perform any additional authentication unless you want to.

From here, you can perform whatever post-authentication steps you like.

For more details, have a look at our demonstration site,, and view the code behind it.

Something went wrong with that request. Please try again.