DEV Community

Cover image for Verify Human or AI - A Builder's Guide to Proof-of-Human Verification
anubhavbhatt
anubhavbhatt

Posted on

Verify Human or AI - A Builder's Guide to Proof-of-Human Verification

At 12:00:00, a retailer drops a thousand pairs of a limited sneaker. By 12:00:30, the entire batch is gone — not to fans, but to a swarm of checkout bots that filled carts faster than any person could click. Swap "sneakers" for concert tickets, GPU restocks, or a free-tier API key, and you've got the same story playing out across the internet right now.

The old defenses (CAPTCHAs, rate limits, phone verification, device fingerprinting) all shared one assumption: that mimicking a human was hard and expensive. That assumption is dead. AI agents can now solve puzzles, spoof devices, and rent phone numbers cheaper than the infrastructure you'd build to stop them.

So the question engineers actually need to answer isn't "is this a bot?" anymore. It's a harder one: how do you let a real, unique human be recognized across the internet, without ever learning who they are? That's what "proof of human" systems try to solve, and a handful of genuinely different approaches now exist. This is a practical look at how they work, how to integrate one, and (the part vendor pitches tend to leave out) where they get expensive, risky, or legally fraught.

Why CAPTCHA Doesn't Work Anymore

CAPTCHA was never really about "proving humanity." It was a puzzle that happened to be easier for humans than for the computer vision of its era. That gap has closed.

A 2024 ETH Zurich study using YOLOv8 object detection solved Google's reCAPTCHAv2 image challenges at close to 100% accuracy, well past the 68–71% success rates bots managed a few years earlier. Ensemble methods that combine multiple AI models now claim around 97% accuracy across CAPTCHA types generally, and even voice CAPTCHAs (once considered a decent fallback) fall to off-the-shelf speech recognition roughly 85% of the time.

The economics make it worse. Solving a CAPTCHA via AI costs on the order of $0.001; routing it to a human CAPTCHA-farm service costs around $0.50. When the automated path is 500x cheaper and more reliable, there's no incentive left for an attacker to stop.

The shift: the industry needs proof of an underlying human behind a request, not just proof that something solved a puzzle.

What "Proof of Human" Actually Means

Strip away any one vendor's branding, and a real proof-of-human system needs to answer five separate questions. Standard authentication (SSO, passkeys, face unlock on your phone) only answers the first:

  • "Is this the same person as before?" — a login. Doesn't tell you if that person has already registered nine other accounts elsewhere.
  • Uniqueness — has this specific human already been counted, across the entire population the system serves? At billion-person scale, this is a much harder matching problem than it sounds: an error rate of one-in-a-million per comparison still produces roughly a thousand false matches per query once you're comparing against a billion records. Getting uniqueness right at that scale needs error rates closer to one-in-a-hundred-billion.
  • Anonymity — can the system prove uniqueness without storing something that identifies the person, or that a breach could later de-anonymize?
  • Recovery — if someone loses their device or key, can they prove they're the same verified human again, without a single point of failure (a "master secret") that also becomes a single point of catastrophic loss?
  • Verification / repeat-detection — can a relying party (a website, an app) detect "this human already used their one free trial" without being able to link that human's activity across other, unrelated services?

That last one is usually solved with nullifiers — a value derived from the person's credential, the specific relying party, and the specific action, so the same human produces the same nullifier for the same action every time, but a different, unlinkable nullifier for a different service. It's the mechanism that lets "have you done this before, here" work without becoming a cross-site tracking ID.

A newer, sixth question has shown up as of 2026: delegation — can a human authorize an AI agent to act on their behalf, with the system still able to tell "these ten agent actions all trace back to one human" apart from "these ten agent actions are ten different humans"?

World ID is the most visible implementation of this model today: biometric uniqueness, cryptographic anonymity, nullifier-based verification. It's worth walking through what actually integrating one looks like.

Hands-On: Integrating World ID's IDKit

World ID's developer SDK is called IDKit: available as a drop-in React widget (@worldcoin/idkit), a core JS package (@worldcoin/idkit-core) for custom flows, and native Swift/Kotlin SDKs.

The integration has four moving parts:

1. Register your app. In World's Developer Portal, you get three values: app_id, rp_id (relying-party ID), and a signing_key (a backend secret, never shipped to a client).

2. Backend signs the request. Before your app asks a user to verify, your backend signs a request payload (a nonce plus creation/expiry timestamps) with signing_key. This stops someone from forging a verification request that didn't actually originate from you.

3. Client collects the proof. Your frontend initializes IDKit with your app_id and the signed request. The user completes verification in the World App, which generates a zero-knowledge proof locally. No personal data leaves their device.

4. Backend verifies and stores the nullifier. Your backend forwards the proof to World's API and gets back a verified nullifier:

POST https://developer.world.org/api/v4/verify/{rp_id}
Content-Type: application/json

{
  "nullifier_hash": "0x1a2b3c...",
  "merkle_root": "0x...",
  "proof": "0x...",
  "verification_level": "orb",
  "action": "claim-free-trial"
}
Enter fullscreen mode Exit fullscreen mode

If that call confirms the proof is valid, extract the nullifier_hash and check it against ones you've already seen for this action. That's your replay/reuse guard:

-- nullifiers are large hex values; convert to decimal and store as
-- NUMERIC(78,0) rather than a string, per World's own integration notes
CREATE TABLE used_nullifiers (
  nullifier   NUMERIC(78, 0) PRIMARY KEY,
  action      TEXT NOT NULL,
  created_at  TIMESTAMPTZ DEFAULT now()
);
Enter fullscreen mode Exit fullscreen mode
nullifier_decimal = int(nullifier_hash, 16)

existing = db.execute(
    "SELECT 1 FROM used_nullifiers WHERE nullifier = %s AND action = %s",
    (nullifier_decimal, action),
).fetchone()

if existing:
    raise AlreadyClaimedError("This human has already claimed this action.")

db.execute(
    "INSERT INTO used_nullifiers (nullifier, action) VALUES (%s, %s)",
    (nullifier_decimal, action),
)
Enter fullscreen mode Exit fullscreen mode

That's the whole loop: your backend ends up holding a cryptographic proof of human uniqueness for one specific action, and nothing else. No name, no email, no biometric template, just a number it can check for reuse.

Worth being precise about what this doesn't solve: once that session or API key exists on your side, it's protected by whatever normal session/key security you already have. Proof-of-human establishes uniqueness at enrollment and at each verified action. It isn't a substitute for the rest of your security model.

Delegating to AI Agents Without Losing the Human

The newest piece of this stack is aimed squarely at the sneaker-drop problem from the intro, just inverted: instead of stopping bots from impersonating humans, it's about letting legitimate AI agents act for a human while still being accountable to one.

As of March 2026, World partnered with Coinbase to combine AgentKit (proof that an AI agent is backed by a verified human) with x402, a Coinbase/Cloudflare protocol for stablecoin micropayments between agents. The pitch, in Coinbase's own framing: "Payments are the 'how' of agentic commerce, but identity is the 'who.'"

Mechanically: an agent carries a zero-knowledge proof that it's authorized by a specific verified human, without exposing who that human is. That lets a platform enforce a cap per human (say, three purchases per service before normal payment/fraud checks kick in) rather than a cap per agent, which a bot farm could trivially multiply by spinning up more agents.

Two numbers get cited a lot in coverage of this partnership: "17.9 million people verified globally" and a "$3–5 trillion agentic commerce market by 2030." Both are worth flagging as third-party reporting, not figures published in World's own technical documentation. Treat them as attributed estimates, not settled facts, when you're making an infrastructure decision based on them.

Beyond World ID: How the Alternatives Actually Differ

World ID isn't the only credible answer here, and the alternatives aren't just "worse" or "better": they make genuinely different trust trade-offs.

System What it actually proves Biometrics? Trust model
World ID Unique human, globally, via one-to-many iris matching Yes (iris, via the Orb) Trust the hardware's local anti-spoof detection + the multi-party computation splitting your iris data across independent operators
Privacy Pass / Private Access Tokens (Cloudflare, Apple) This device passed an integrity check recently No Trust the device's secure enclave/OS attester and the token issuer — proves a trusted device, not a unique human
Idena Passed a synchronous "FLIP" puzzle ceremony with other live participants No Trust the ceremony design — human accuracy on FLIP tests runs ~95% vs. ~60–76% for AI at time of testing, but requires recurring live participation roughly every two weeks
BrightID / Proof of Humanity Vouched for by an existing web of trust No Trust the social graph — Proof of Humanity backs this with an on-chain registry (20,000+ verified humans) and a Kleros decentralized court for disputed cases

The distinction that matters most for engineers: Privacy Pass proves a trusted device, not a unique human. If your actual requirement is "stop scripted traffic from an untrusted device," it's a lighter-weight, already-widely-deployed answer. If your requirement is closer to "one human, one vote / one airdrop / one account, globally," device attestation doesn't get you there: you need one of the personhood-specific systems, each with its own cost (biometric hardware and enrollment, or recurring live ceremonies, or dependence on an existing social graph).

The Trade-Offs Nobody Puts in the Pitch Deck

This is the section a lot of proof-of-human explainers skip, and it's arguably the more decision-relevant half of the picture.

Regulatory exposure is real and current, specifically for biometric approaches:

Jurisdiction Action Date
Kenya High Court ruled operations illegal; ordered deletion of biometric data collected without proper approval May 2025
Spain Data Protection Agency (AEPD) found GDPR violations; Spain's High Court later upheld a temporary ban on iris-scanning verification Dec 2024
Hong Kong Privacy Commissioner ordered a halt to all operations, citing the Personal Data (Privacy) Ordinance May 2024
Indonesia Ministry of Communication and Digital Affairs suspended all operations May 2025
Brazil National data protection authority (ANPD) issued a ban with daily fines of roughly $8,800 for continued data collection Jan 2025

If you're evaluating a biometric proof-of-human vendor for a global product, this table belongs in your risk assessment right next to the API docs. Regulatory posture varies by jurisdiction and can change the legality of your integration out from under you.

Attack surface is a second, separate concern from regulation. Iris spoofing isn't hypothetical: a photo of a legitimate iris combined with a contact lens has defeated consumer iris scanners before, most famously the 2016 hack of the Samsung Galaxy Note 7's iris scanner using exactly that technique. World's own engineering blog describes local anti-spoof "presentation attack detection" running on an Nvidia Jetson Xavier NX inside the Orb hardware, a real mitigation, but it's the vendor's own claim, not the result of an independent third-party audit. Forrester's public analysis has been openly skeptical that iris scanning at this scale is immune to simple presentation attacks.

There's also a more mundane, more important risk: after enrollment, the biometric isn't what's protecting the account day-to-day. A private key is. If that key is compromised, an attacker can impersonate the verified identity indefinitely. The biometric solves the one-time uniqueness problem; everything after that is standard key custody, with all the usual failure modes.

Choosing an Approach for Your Product

There's no universal answer, but the decision collapses fairly cleanly once you're honest about what you actually need:

  • You just need to stop scripted/bot traffic on already-trusted devices (most consumer web/app traffic on iOS, and increasingly other platforms) → Privacy Pass / Private Access Tokens. Lowest friction, already deployed at scale, no biometric enrollment.
  • You need a hard global-uniqueness guarantee (one account per human for an airdrop, a UBI-style distribution, or a one-vote system) and can accept biometric enrollment and its regulatory footprint → a biometric system like World ID.
  • You want strong Sybil-resistance without biometrics and can tolerate recurring live participation → Idena's ceremony model.
  • You're building on top of an existing trusted community → a social-graph system like BrightID/Proof of Humanity.

Whichever you pick, put the regulatory table above next to your technical evaluation. For a biometric system especially, "does this work in the jurisdictions our users are in" is now as load-bearing a question as "does the SDK support our stack."

Conclusion

CAPTCHA's collapse against AI didn't create the "who's really on the other end of this request" problem. It just made it impossible to ignore. What's changed is that there are now several structurally different, credible answers: biometric uniqueness matching, device attestation, live human ceremonies, and social-graph vouching. None of them is a drop-in "solved" checkbox. Each trades off enrollment friction, regulatory exposure, and attack surface differently, and the right choice depends on what you're actually trying to guarantee: a trusted device, or a unique, unrepeatable human.

Top comments (0)