Identity / Names·EVM · Multi-chain
Human Passport (Gitcoin Passport)
Human Passport (formerly Gitcoin Passport, now part of human.tech after the Holonym acquisition) is a Sybil-defense layer that aggregates verifiable credentials ('Stamps') from web2 and web3 accounts and produces a numeric Unique Humanity Score plus a binary Human Check. Apps query the Passport API with a wallet address to retrieve the score and gate access, votes, airdrops, or quadratic-funding contributions.
- 01Sybil-resistant grant rounds and quadratic funding
- 02airdrop allowlists scored by humanity
- 03anti-bot gating for governance / voting
- 04rate-limiting LLM or AI-agent endpoints to humans
- 05loyalty / quest programs that need real users
- pnpm add @gitcoinco/passport-sdk-scorer @gitcoinco/passport-sdk-verifier
| Variable | Scope | Description |
|---|---|---|
| PASSPORT_API_KEY | Server | Server-side API key for api.passport.xyz, sent in the `X-API-KEY` header. |
| PASSPORT_SCORER_ID | Server | Numeric scorer ID configured in the Passport developer dashboard (defines weights and threshold). |
Use Human Passport / Gitcoin Passport to score wallet addresses for Sybil resistance. From a server route, call `GET https://api.passport.xyz/v2/stamps/{scorer_id}/score/{address}` with headers `X-API-KEY: $PASSPORT_API_KEY`; the response includes `score`, `passing_score`, `threshold`, and `stamps[]`. Gate the action when `score >= threshold` (or use the included `passing_score` boolean) and never call the Passport API from the browser — it leaks the API key. To force a refresh after a user adds new Stamps, `POST /v2/stamps/{scorer_id}/score/{address}` first, then read the score. Use `@gitcoinco/passport-sdk-verifier` if you need to verify individual stamp credentials cryptographically (DID-JWT) without trusting the hosted API.
- ⚑Score is off-chain by default — to use it on-chain you must push it via the Passport on-chain attestation (EAS) flow, which costs gas and snapshots a single moment in time, so revocation lag is real.
- ⚑The API rate-limits aggressively; cache scores per address with a short TTL (15–60 min) and never proxy unauthenticated client calls through your key.
- ⚑Stamp weights and the recommended threshold (currently ~20) change between scorer versions — pin a `scorer_id` and re-tune your gate when Passport updates weights, or you'll silently let in bots.
- ⚑Sybil bypass: many Stamps (Twitter, Google, Discord, BrightID, ENS, GTC staking) can be farmed cheaply; a high score is necessary but not sufficient — combine with World ID / Civic / on-chain history for high-value drops.
- ⚑Stamps reveal which web2 accounts a wallet has linked — the score itself is privacy-leaking even though no raw credentials are exposed; communicate this to users.
- ⚑The product was rebranded from Gitcoin Passport → Human Passport mid-migration; older `api.scorer.gitcoin.co` endpoints still resolve but new dev work should use `api.passport.xyz`.