Hanko — Open-Source Passkey-First Authentication

Introduction

Hanko is an open-source authentication platform designed around passkeys and WebAuthn as first-class login methods. It provides a backend API and prebuilt web components that let developers add passwordless authentication to any application without building auth flows from scratch.

What Hanko Does

• Provides passkey (WebAuthn/FIDO2) registration and authentication out of the box
• Ships prebuilt web components for login, registration, and profile management
• Supports email passcodes, OAuth social login, and traditional passwords as fallbacks
• Manages user sessions with configurable JWT and cookie-based token issuance
• Exposes a RESTful admin API for user management and audit logging

Architecture Overview

Hanko consists of a Go backend that handles authentication flows, a PostgreSQL database for user and credential storage, and a set of framework-agnostic web components for the frontend. The backend implements the WebAuthn server spec for passkey ceremonies and issues JWTs upon successful authentication. A reverse proxy or API gateway sits in front to handle TLS termination and route requests between Hanko and your application.

Self-Hosting & Configuration

• Deploy with Docker Compose including the Hanko backend and PostgreSQL
• Configure via a YAML config file specifying allowed origins, SMTP settings, and OAuth providers
• Set JWT secret and token lifetimes through environment variables
• Add social login providers (Google, Apple, GitHub) by registering OAuth credentials in config
• Helm chart available for Kubernetes deployments with Ingress support

Key Features

• Passkey-first design with full FIDO2/WebAuthn certification compliance
• Drop-in web components (, ) that work with any framework
• Built-in email passcode flow for devices that do not support passkeys yet
• Session management with JWT issuance and configurable expiration policies
• Multi-tenant support for SaaS applications serving multiple organizations

Comparison with Similar Tools

• Auth0 — Managed SaaS with broad integrations but no self-host option and usage-based pricing
• Clerk — Developer-friendly hosted auth; closed source and not self-hostable
• Authentik — Self-hosted IdP focused on SSO and directory services rather than passkeys
• Keycloak — Full-featured Java-based IdP; heavier footprint and steeper learning curve
• SuperTokens — Open-source session management with password focus; passkey support is newer

FAQ

Q: Can I use Hanko with React, Vue, or any frontend framework? A: Yes. Hanko ships framework-agnostic web components that work in React, Vue, Svelte, Angular, and plain HTML. Framework-specific wrappers are also available.

Q: What happens if a user's device does not support passkeys? A: Hanko falls back to email passcodes or traditional passwords, depending on your configuration. Users can register passkeys later from a supported device.

Q: Does Hanko replace my entire auth system? A: Hanko handles authentication (login and registration). Authorization (roles, permissions) is left to your application or a separate authorization service.

Q: Is Hanko FIDO2 certified? A: Hanko implements the WebAuthn Level 2 server specification and is compatible with all FIDO2-certified authenticators including platform authenticators (Touch ID, Windows Hello) and security keys.

Sources

• https://github.com/teamhanko/hanko
• https://docs.hanko.io/