> ## Documentation Index
> Fetch the complete documentation index at: https://nuggets.life/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# OIDC

> OpenID Connect integration guide for secure identity verification. Configure OIDC clients, QR code flows, and custom verification scopes in applications.

You can integrate Nuggets' secure identity verification into your own app using our **QR code flow**, powered by the [**OpenID Connect (OIDC)**](https://openid.net/developers/how-connect-works/) protocol.

***

## Create a Client

To begin, [create a partner account](/getting-started/accounts-portal) on Nuggets.

In the Nuggets Account Portal, an **OIDC Application Client** is referred to as an **"Advanced Check"**:

<Frame caption="Advanced Check (OIDC Application Client)">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/checks.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=39c8eda80bf0b0c8a8736ea89b4a51ca" alt="" width="1561" height="490" data-path="assets/accounts-portal/advanced-check/checks.png" />
</Frame>

### Configure the Client

When creating an Advanced Check, you'll be asked to provide your **Redirect URI** and **Sign Out URI**:

<Frame caption="Advanced Check - Configure">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/create.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=528866fe0b48995a392415e76d5dbf1f" alt="" width="1562" height="781" data-path="assets/accounts-portal/advanced-check/create.png" />
</Frame>

After setup, you'll be prompted to **download a private key**:

<Frame caption="Advanced Check - Private Key Download">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/private-key.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=9459856ec89f7cfdb0f1a58cf5cba363" alt="" width="609" height="386" data-path="assets/accounts-portal/advanced-check/private-key.png" />
</Frame>

<Warning>
  **Keep this key safe and secure** – it is critical to your application's
  security.
</Warning>

Once created, you'll be able to view the **Client ID** and additional configuration options:

<Frame caption="Advanced Check - Created">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/created.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=e03c0b912b00ecc2ec57cfa1b4d7149a" alt="" width="1561" height="900" data-path="assets/accounts-portal/advanced-check/created.png" />
</Frame>

### Add Verifications

You can now add **Verifications** to your client. These define the specific credential proofs you'd like to request from the user.

<Frame caption="Advanced Check - Verifications">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/verifications.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=827dcb9a7a1f7abb10d008aaabad5e67" alt="" width="1561" height="554" data-path="assets/accounts-portal/advanced-check/verifications.png" />
</Frame>

These appear during the user's interaction and help build **trust** by making it clear what information is being requested and why:

<Frame caption="Advanced Check - Invite Verifications">
  <img src="https://mintcdn.com/nuggets-b89005a2/nUdoZWSc5gGcRIEv/assets/accounts-portal/advanced-check/verifications-qr-code.png?fit=max&auto=format&n=nUdoZWSc5gGcRIEv&q=85&s=b21ed901d3f568a8794001910813904f" alt="" width="466" height="984" data-path="assets/accounts-portal/advanced-check/verifications-qr-code.png" />
</Frame>

<Note>
  If no verifications are configured, users will see "unknown" as the requesting
  party on the QR code screen.
</Note>

***

## Configuring your flow

The user flow is determined by the OIDC scopes you specify. These scopes define what type of verification or information you require from the user during authentication.

* `rightToWork`: Request a Right to Work check from the user.
* `kyb`: Request the user to verify their business using KYB.
* `ageOver`: Request the user is over a specified age. This age will be passed as part of the PAR ([Pushed Authorization Request](https://datatracker.ietf.org/doc/html/rfc9126))

\--

## How It Works

1. Your backend **generates a QR code** that encodes an OIDC authentication request.
2. The user **scans the QR code** with the Nuggets mobile app.
3. The app prompts the user to share the requested **Verifiable Credentials** (VCs).
4. After consent and validation, Nuggets completes the OIDC flow and redirects to your configured `redirect_uri` with a valid `id_token` and/or `access_token`.
5. Your application **decodes the token** and uses the embedded claims (e.g. DID, age, role) to grant access or customize the experience.

***

## Benefits

* **Privacy-first**: no passwords, no shared secrets
* **Standards-based**: built on OIDC and W3C Verifiable Credentials
* **User-controlled**: users share only what they choose
* **Zero visibility**: Nuggets runs the provider service inside a [Confidential Compute](https://en.wikipedia.org/wiki/Confidential_computing) environment—meaning even we can't see the data being processed