Tag: orcid authentication

  • ArXiv ORCID Authentication for Preprints

    ArXiv ORCID authentication lets a researcher link a persistent ORCID iD to their arXiv account, and it is one of two models preprint servers use to establish who an author is before a paper ever reaches peer review — the other being direct “log in with ORCID,” used by bioRxiv. Neither model performs formal identity verification in the legal sense; both rely on ORCID’s OAuth authentication to confirm that the person submitting genuinely controls the ORCID iD they claim.

    ORCID authentication is the OAuth-based process by which a researcher proves control of their ORCID iD to a third-party system — such as a preprint server — by signing in directly at orcid.org, without ever sharing a password with that third party. This distinction matters for research administrators and developers assessing how much identity assurance a preprint record actually carries.

    How does ORCID authentication work before publication?

    ORCID authentication runs on a three-legged OAuth flow, documented by ORCID’s own integration guide. A system such as a preprint server creates a “Connect your ORCID iD” link; when a researcher clicks it, they are redirected to orcid.org, sign in with their own ORCID credentials, and explicitly grant the requesting system permission to read (and, for member integrations, write) specific parts of their record.

    ORCID then returns an authorisation code, which the preprint server exchanges for an access token. That token — not a copied-and-pasted ID number — is what proves the connection is genuine. According to ORCID’s documentation, the organisation does not permit manual entry of ORCID iDs in any workflow where authenticated collection is technically possible, precisely because typed-in IDs cannot prove ownership.

    • Public API: free, available to non-commercial and commercial integrations, sufficient for basic authenticated sign-in and read access.
    • Member API: requires ORCID membership, needed to write data (such as adding the preprint itself) directly to a researcher’s record.
    • Sandbox environment: a full ORCID Sandbox testing server lets integrators build and demo the OAuth flow before ORCID’s engagement team approves production Member API credentials.

    How arXiv verifies author identity with ORCID

    arXiv treats ORCID primarily as a disambiguation and record-linking layer rather than a submission gate. Authors link an existing ORCID iD — or create one during the process — via arXiv’s account dashboard, and the platform then prefers the ORCID iD over its own internal arXiv author identifiers wherever possible “in order to facilitate better data exchange,” per arXiv’s own documentation.

    Identity assurance on arXiv sits mainly in a separate, adjacent mechanism: endorsement. As of 21 January 2026, arXiv no longer accepts an institutional email address alone as sufficient qualification for a new submitter. Under the updated policy, a new author must now satisfy one of two paths:

    1. An institutional academic/research email address and prior authorship on a paper already accepted into the relevant arXiv endorsement domain, or
    2. Direct personal endorsement from an established arXiv author already active in that same domain.

    arXiv’s own guidance notes that authors contacting a potential endorser may include a link to their ORCID profile as supporting evidence, though ORCID linkage itself is not a mandatory endorsement criterion. Misrepresenting identity or institutional affiliation is, separately, a violation of arXiv’s code of conduct and grounds for account suspension.

    How bioRxiv verifies author identity with ORCID

    bioRxiv, operated by the non-profit openRxiv, takes a more direct authentication route. The platform offers a “Log in with ORCiD” option at the account level: when a submitter authenticates this way, bioRxiv receives an ORCID-verified identifier straight from ORCID’s OAuth flow, rather than a self-typed value.

    During manuscript submission, corresponding authors can also attach ORCID iDs for themselves and co-authors, which are then carried into the preprint’s metadata. This matters for provenance: under ORCID’s documented preprint workflow, an ORCID-member preprint server can add the work to an author’s ORCID record with a “Self” relationship, and later — once a peer-reviewed version exists — a publisher can add the journal article with a “Version of” relationship linking the two, grouping the preprint and its published descendant on one authoritative record.

    arXiv vs bioRxiv: ORCID identity assurance compared

    The two platforms diverge on where, and how strongly, ORCID authentication sits in the submission path:

    Feature arXiv bioRxiv
    ORCID collection point Account linking, post-registration Optional login and/or manuscript submission
    Authentication method Account-page OAuth link to ORCID Direct “Log in with ORCiD” OAuth sign-in
    Mandatory for submission? No — recommended, not required No — optional for authors and co-authors
    Separate identity gate Endorsement policy (updated 21 Jan 2026) Basic screening for offensive/non-scientific content
    Co-author ORCID capture Not built into the submission form Can be added at submission by corresponding author

    What this means for identity assurance ahead of peer review

    ORCID authentication and identity verification are not the same thing, and conflating them overstates what a preprint record actually proves. An authenticated ORCID iD confirms that a specific, persistent researcher account is behind a submission. It does not confirm a person’s legal name, employer, or credentials — those rest on the separate affiliation and endorsement checks each platform runs independently.

    Funders are pushing this authentication layer further upstream. UK Research and Innovation (UKRI) is building mandatory ORCID iD linking into its Funding Service for project leads, co-leads and fellows, with the requirement expected to take effect roughly six months after the relevant functionality launches, targeted for 2027. That shifts identity assurance earlier — to the funding-application stage — rather than leaving it solely to the preprint or journal submission step.

    For institutions and developers building on this infrastructure, the practical takeaway is definitive: treat an authenticated ORCID iD as strong evidence of account control, and treat endorsement, institutional email, and funder-linked ORCID mandates as the separate, complementary layers that build fuller identity assurance around it.

    Frequently asked questions

    Do arXiv papers appear on ORCID?

    Yes. Once an author links their ORCID iD to their arXiv account, arXiv’s works are unambiguously connected to that researcher’s broader scholarly record, helping distinguish them from authors with similar names across other platforms and repositories.

    How do I add an arXiv preprint to ORCID?

    Authors can search by arXiv identifier directly within their ORCID record’s “Add works” tool, or link their arXiv account to ORCID so eligible works sync automatically. Manual entry of someone else’s ORCID iD is not permitted under ORCID’s collection policy.

    Does an arXiv preprint count as a publication?

    Not in the traditional peer-reviewed sense. ArXiv preprints are not peer-reviewed before posting, so most journals and funders treat them as a distinct output type — citable, but separate from the peer-reviewed version of record that may follow.

    What is the arXiv identifier?

    The arXiv identifier (or arXiv ID) is a unique code assigned to every submitted paper, used to cite and retrieve it. It is distinct from an author’s ORCID iD, which identifies the person rather than the paper.

    Looking ahead

    arXiv and bioRxiv show two workable but distinct approaches to the same problem: using ORCID’s authenticated, OAuth-based identifiers to anchor preprint authorship without claiming to verify legal identity outright. As funders such as UKRI extend ORCID requirements into the funding-application stage, the identity-assurance chain around research outputs is likely to start earlier and grow more consistent — well before a manuscript ever reaches a preprint server or a peer-review desk.

    For research administrators mapping authorship and contribution practices onto institutional systems, understanding exactly what an authenticated ORCID iD does and does not prove is a prerequisite for sound research administration policy — not an afterthought.

  • Is ORCID Legit? Its Limits Against Paper Mills

    ORCID is legitimate: it is a real, non-profit persistent-identifier registry used by thousands of publishers, funders and institutions worldwide. But “legitimate” is not the same as “fraud-proof.” ORCID’s own documentation confirms that an ORCID iD verifies control of an email address and account — not a researcher’s real-world identity, credentials, or institutional affiliation — which is exactly the gap paper mills exploit.

    An ORCID iD is a free, sixteen-digit persistent identifier that distinguishes one researcher from another and links that person to their publications, grants and affiliations. That single-sentence definition explains why ORCID is trusted — and why, on its own, it was never designed to stop organised authorship fraud.

    This piece is a CASRAI editorial perspective: it argues that identity-layer tools like ORCID and contribution-layer tools like the CRediT taxonomy solve different problems, and that conflating the two leaves a detection gap that paper mills are actively exploiting.

    Contents

    What does an ORCID iD actually verify?

    An ORCID iD confirms that a person controls a given ORCID account and email address, and it links that account to a persistent, disambiguated researcher record. It does not independently confirm a person’s legal identity, employment, qualifications, or that they actually authored the works attached to their profile.

    ORCID’s own guidance is explicit on this point: the organisation states that an ORCID iD is not a form of identity verification in the government-ID sense. Registration requires only a working email address, which is the same low bar that lets a legitimate early-career researcher register in seconds — and lets a paper mill spin up a disposable account just as fast.

    Is ORCID legit? The non-profit case

    Yes. ORCID is a genuine, mission-driven non-profit — ORCID is a global, not-for-profit organisation sustained by member fees from universities, publishers and funders, not by selling researcher data. It is embedded in submission workflows at major publishers and grant systems precisely because it solved a real problem: name ambiguity.

    • Common-surname collisions are severe — a mere hundred surnames account for over 85% of China’s population, with Wang, Li and Zhang alone covering more than a fifth, making name-only attribution unreliable at scale.
    • ORCID lets a researcher control which affiliations, works and peer-review activity are publicly visible, rather than relying on a publisher’s guesswork.
    • Adoption is now effectively mandatory at many funders and journals, which is a trust signal in itself — but mandated use is not the same as verified authenticity.

    So the trust question and the fraud-detection question are separate. ORCID earns trust as infrastructure; it was never marketed, and does not function, as an authorship-fraud filter.

    Can identity verification stop paper-mill authorship rings?

    No — not on its own, and the evidence for that is now substantial. The Committee on Publication Ethics (COPE) and the STM Association jointly defined and characterised the problem in their December 2022 Paper Mills Research Report, describing paper mills as commercial operations that manufacture fabricated or manipulated manuscripts and sell authorship slots, often to researchers under career pressure to publish.

    The scale became undeniable in the retraction data. Publishers retracted more than 10,000 research papers in 2023 — a record documented by Nature’s news team, with a large share traced to paper-mill-linked special issues, concentrated heavily at a single Wiley/Hindawi imprint before its special-issue programme was shut down. An ORCID iD attached to a fabricated paper did not prevent a single one of those retractions; in many cases the fraudulent authors held valid, active ORCID accounts throughout.

    That is the structural weakness: paper mills do not need to defeat ORCID, they only need to open an account, which requires nothing more than an email inbox. Publishers in response formed the STM Integrity Hub, launched in 2022, a shared cross-publisher infrastructure that pools signals — duplicate submissions, manipulated peer-review rings, image and reference manipulation — across member publishers in something ORCID’s single-account model cannot replicate, because ORCID has no mandate or mechanism to police manuscript content.

    Why a contribution taxonomy like CRediT tackles a different problem

    Identity tools answer “who is this person?” Contribution taxonomies answer a different, equally necessary question: “what did this specific person actually do on this specific paper?” CRediT, the contributor role taxonomy, was originated by CASRAI in 2014 and is now stewarded by NISO as ANSI/NISO Z39.104-2022 — CASRAI is the originator, not the current standards steward.

    CRediT requires each listed author to be tagged against a defined set of contributor roles — conceptualisation, data curation, formal analysis, writing, and others — for every submitted manuscript. That disclosure layer creates a different fraud signal than identity ever could: a co-authorship pattern where a name appears solely under “funding acquisition” across dozens of unrelated papers in a short window is implausible in a way that a valid ORCID iD alone will never flag, because ORCID has no visibility into role-level contribution claims.

    Neither tool substitutes for the other. Identity infrastructure and contribution disclosure address separate failure modes, and a detection strategy that leans on only one is structurally incomplete.

    Tool What it verifies or standardises What it does not do
    ORCID iD Persistent identifier; confirms control of an account/email and disambiguates a researcher’s name across works Does not verify legal identity, institutional affiliation or credentials
    CRediT taxonomy (ANSI/NISO Z39.104-2022) Standardises disclosure of which of the defined contributor roles each named author performed Does not verify that the named person exists, consented, or was even contacted
    STM Integrity Hub Shares cross-publisher fraud signals in real time — duplicate submissions, manipulated peer review, image reuse Does not itself confirm any individual author’s identity

    Answer-first Q&A

    Is ORCID legitimate?

    Yes. ORCID is a genuine, non-profit registry that provides persistent researcher identifiers and is integrated into submission systems at most major publishers and funders. Legitimacy as an organisation, however, is separate from its capacity to verify identity — ORCID confirms account control, not real-world credentials.

    Is it safe to share an ORCID iD?

    Yes. An ORCID iD is a public, non-sensitive identifier by design, and researchers control visibility settings for the underlying record. Sharing it on a CV, manuscript, or grant application does not expose private data, since ORCID does not store the kind of personal information used for identity theft.

    Should you use ORCID?

    Yes, for disambiguation and administrative efficiency. An ORCID iD saves time on grant and manuscript forms and reliably links a researcher’s outputs across name changes or institutional moves. It should not, however, be treated by editors or reviewers as evidence that a submission’s authorship is authentic.

    Is ORCID credible?

    Yes, as infrastructure. ORCID is a trusted, community-governed non-profit that cannot be bought by a commercial entity and does not sell researcher data. Credibility as a registry does not, however, extend to guaranteeing the integrity of any individual manuscript that cites an ORCID iD.

    Implications for publishers, institutions and funders

    Editorial offices that treat a valid ORCID iD as a clearance signal are relying on infrastructure built for a different job. A layered approach performs better:

    • Require CRediT contributor-role statements alongside ORCID iDs, so implausible role patterns become visible at submission, not after retraction.
    • Cross-check institutional email domains and affiliations, since paper mills routinely fabricate both.
    • Join or query shared infrastructure such as the STM Integrity Hub, which pools cross-publisher fraud signals ORCID was never designed to hold.
    • Treat ORCID account age and activity history as a weak signal only — a freshly created account attached to a first submission warrants closer editorial scrutiny, not automatic rejection.

    Conclusion: identity plus contribution, not identity alone

    ORCID is legitimate infrastructure doing exactly the job it was built for: disambiguating researcher identity across a fragmented publishing ecosystem. Expecting it to also police fabricated authorship asks a registry to perform forensic work it has no data or mandate to do. COPE and STM’s own analysis, and the 2023 retraction record, both point the same direction: stopping paper mills requires layered defences — identity infrastructure, authorship policy, contribution disclosure, and shared publisher intelligence — working together, because no single layer was designed to catch what the others miss.

  • ORCID Authentication Explained: How Trust Markers Verify Publication Records

    ORCID authentication is the OAuth 2.0-based process that lets a researcher securely connect their ORCID iD to a publisher, funder or repository system and grant that trusted organisation permission to add or update entries on their record. Once authenticated, Crossref and DataCite can auto-update verified publication and dataset records directly, without manual re-entry by the author.

    ORCID is a non-profit organisation that issues a persistent, 16-digit researcher identifier — the ORCID iD, compatible with the ISO 27729 International Standard Name Identifier format — used across publishing, funding and repository systems to distinguish individuals who share similar or identical names. What makes the identifier useful in practice is not just its uniqueness but the authentication layer around it, which determines who is allowed to write to a researcher’s record and how that data is verified once it lands there.

    What Is ORCID Authentication?

    ORCID authentication is built on the industry-standard OAuth 2.0 protocol. ORCID’s own API documentation defines three distinct flows, each suited to a different integration pattern rather than one generic “login with ORCID” button.

    3-legged OAuth is the standard route for systems — manuscript-submission platforms, repository software, grant-management tools — that need standing permission to update a record over time. Implicit OAuth is a lighter, browser-only flow for sites that only need to confirm identity without write access. OpenID Connect sits on top of OAuth to supply a signed identity token that proves a user authenticated with ORCID at a specific moment.

    The practical difference between these flows is permission scope and token lifespan, and it directly affects how much a connected system can do with a researcher’s record:

    OAuth flow Permission level Token lifespan Typical use case
    3-legged OAuth Read and update (long-lived) Up to 20 years from issue Manuscript systems, repositories needing ongoing update rights
    Implicit OAuth Read-only, short-lived 10 minutes Browser-based sign-in widgets with no server backend
    OpenID Connect Identity verification layer over OAuth Session-based signed ID token Single sign-on / point-in-time identity confirmation

    ORCID’s API Tutorial documentation confirms that 3-legged OAuth access tokens are long-lived by default and expire 20 years after issue, while implicit-flow tokens are deliberately restricted to a 10-minute lifespan for security reasons. This asymmetry is deliberate: long-lived update rights are reserved for organisations that have gone through client registration, while anonymous or read-only integrations get a narrow, short window.

    How Do Crossref and DataCite Auto-Update ORCID Records?

    Auto-update solves a specific problem: researchers should not have to manually retype every publication onto their ORCID record. Crossref, the DOI registration agency most scholarly publishers use for journal articles, book chapters and conference papers, and DataCite, the equivalent registration agency for research data, datasets and software, both integrate directly with the ORCID registry to push metadata onto a record automatically once permission has been granted.

    The mechanism follows a fixed sequence:

    • An author submits a manuscript or dataset and supplies their authenticated ORCID iD — not simply a self-typed number.
    • The publisher or repository includes that ORCID iD in the metadata it deposits with Crossref or DataCite when registering the work’s DOI.
    • The first time a work carrying a researcher’s iD is registered, ORCID sends a one-time notification to that researcher’s ORCID inbox requesting standing permission to auto-update the record.
    • Once granted, Crossref or DataCite pushes that work — and every future work bearing the same iD from that source — directly onto the ORCID profile without further author action.

    This permission only needs to be granted once per source. Researchers can also pre-authorise DataCite proactively through their DataCite profile rather than waiting for the first notification. Either way, the update is initiated by the depositing organisation, not typed by the author — which is the detail that makes auto-updated entries structurally different from self-asserted ones.

    What Are ORCID’s Trust Markers, and Why Do They Matter for Record Integrity?

    Every entry ORCID displays carries a visible source label showing which organisation added it. When Crossref or DataCite pushes a publication or dataset via auto-update, that organisation’s name appears against the entry — a source-attribution signal this article refers to as a trust marker, distinguishing verified, third-party-asserted data from information a researcher typed in themselves.

    This distinction is the entire point of the mechanism. An ORCID record accepts three kinds of input: self-asserted entries a researcher adds manually, entries imported from a connected system with the researcher’s permission, and auto-updated entries pushed directly by a DOI registration agency once a work has been deposited under an authenticated iD. Only the third category carries an independent, verifiable chain of custody back to a registration agency’s own database — which is why it functions as a trust signal rather than a claim.

    ORCID reinforces this integrity model at the account level too. Researchers can enable two-factor authentication on their ORCID account, documented in ORCID’s Help Centre, and can review a “trusted organisations” list showing exactly which third-party applications hold update permissions, revoking any of them at any time. Together, authenticated deposit plus source-labelled display plus revocable permissions is what separates ORCID’s registry from a plain self-reported researcher directory.

    For institutions and publishers, this matters because a trust-marked record is auditable: a research office reconciling grant outputs, or a publisher checking an author’s prior work during peer review, can distinguish a Crossref-verified publication from an unverified claim without contacting the researcher directly.

    Answer-First Questions About ORCID Authentication

    How Do You Authenticate an ORCID iD?

    A user clicks a “Connect your ORCID iD” link on a partner site, is redirected to orcid.org to sign in, and then authorises the requested permission scope. ORCID returns an authorisation code, which the partner’s server exchanges for an access token tied to that specific record and scope.

    What Does ORCID Stand For?

    ORCID stands for Open Researcher and Contributor ID. It refers both to the non-profit organisation that runs the registry and to the persistent 16-digit identifier it issues, which distinguishes individual researchers from others who share similar or identical names across publications, grants and affiliations.

    Is ORCID Legitimate?

    Yes. ORCID is an established non-profit organisation whose registry is used by major publishers, funders, universities and DOI registration agencies including Crossref and DataCite as part of standard scholarly-publishing infrastructure. Its OAuth-based authentication and source-labelled auto-update system are designed specifically to make record data verifiable rather than self-reported.

    Do You Have to Pay for ORCID?

    No. Registering for a personal ORCID iD and using the public API to read or connect a record is free for individual researchers. Fees apply only to organisations that join as ORCID members to access the member API, which is required for write/auto-update permissions on institutional or publisher integrations.

    What This Means for Institutions, Publishers and Researchers

    For research administrators, trust-marked auto-update data is a lower-friction path to accurate outputs reporting as part of routine research administration workflows: reconciling grant deliverables against a Crossref-sourced entry requires less manual verification than reconciling against a self-typed CV line. Publishers integrating ORCID at submission or peer-review stage gain a verified identity check before a manuscript enters the editorial workflow, reducing name-disambiguation errors at the point of intake rather than after publication.

    The same authenticated-identity layer increasingly sits alongside other attribution infrastructure in scholarly publishing. Many journals now pair an authenticated ORCID iD with structured contributor-role tagging — for example CRediT, the taxonomy CASRAI originated in 2014 and which is now stewarded by NISO as ANSI/NISO Z39.104-2022 — so that both who contributed and what they did are captured with the same verification discipline. Reviewing how contributor roles are defined and tagged is a natural next step for any institution formalising its authorship verification standards.

    The direction of travel is toward less manually asserted metadata and more machine-verified provenance: as more publishers and repositories register for member API access, a growing share of any given ORCID record is populated by trust-marked, auto-updated entries rather than self-typed ones — narrowing the gap between what a CV claims and what a registration agency can independently confirm.