Multiple domains

Generating the same user identifier across multiple domains

NFID is an anonymizing identity protocol that generates new identifiers for each user account <> domain pair. If developers want to ensure the same identifiers are generated across different domains, follow these instructions.

  1. Ensure you have agent-js, auth-client, authentication, candid, identity, and principal >= v0.12.1

  2. Ensure your canister implements the https_request query call like this

  3. Set the CORS response header Access-Control-Allow-Origin to allow the NFID origin

  4. Add the alternativeOrigins json to https://<YOUR-CANISTER-ID>

      "$schema": "",
      "title": "II Alternative Origins Principal Derivation Origins",
      "description": "An object containing the alternative frontend origins of the given canister, which are allowed to use a canonical canister URL (https://<canister_id> or https://<canister_id> for principal derivation.",
      "type": "object",
      "properties": {
        "alternativeOrigins": {
          "description": "List of allowed alternative frontend origins",
          "type": "array",
          "items": {
            "type": "string"
          "minItems": 0,
          "uniqueItems": true
      "required": [ "alternativeOrigins" ]


      "alternativeOrigins": [
  5. Add the derivationOrigin key and your frontend's canister URL as the value to the NFID configuration parameters:

      loginButton.onclick = async () => {
        await authClient.login({
          onSuccess: async () => {
            process.env.DFX_NETWORK === "ic"
              ? "" + AUTH_PATH
              : process.env.LOCAL_NFID_CANISTER + AUTH_PATH,
          // Maximum authorization expiration is 30 days
          maxTimeToLive: days * hours * nanosecondsPerHour,
            `left=${window.screen.width / 2 - 525 / 2}, `+
            `top=${window.screen.height / 2 - 705 / 2},` +
          derivationOrigin: "https://<YOUR-CANISTER-ID>"

NOTE: To prevent misuse of this feature, the number of alternative origins must not be greater than 10.

View the Internet Identity specification for more information.

Doesn't this violate user privacy?

When an alternative origin assigns a canister as its derivation origin, that alternative origin effectively delegates administrative control of the application to the derivation origin. This feature is also impossible without consent from the derivation origin (via the .well-known json) and from the alternative origin (via the derivationOrigin parameter). If one of either the alternative or derivation origins drop their side of the consent, NFID will immediately begin generating new identifiers for an application's users. All of this together makes it exceptionally unlikely that any developer would willingly accept such an existential risk of the future success of their application to a third party.

Here's a forum post where someone brought this up as a concern and Dfinity's Frederik Rothenberger responded, along with a significant amount of context:

Developers (as others have already pointed out) should hopefully realize that giving up control that way is a terrible idea.

Should I use another application's Derivation Origin?

No. Adding another application as your derivation origin places an existential risk of the future success of your application on theirs. Just don't do it.

Edit this page on GitHub Updated at Wed, Mar 8, 2023