Hanko
Hanko is an open-source passkey-first authentication provider that agents can use as a self-hosted or cloud service to register and authenticate users via WebAuthn passkeys with email OTP and OAuth fallbacks.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Open-source codebase allows full security auditing; passkey-first design eliminates phishable passwords. Self-hosted deployments give operators full control over data and key material, reducing third-party risk.
⚡ Reliability
Best When
Best when an agent application needs passkey auth with full code transparency, self-hosting capability, and no per-MAU pricing at scale.
Avoid When
Avoid when the team lacks the capacity to operate a self-hosted service and needs a fully managed SLA-backed auth platform.
Use Cases
- • Self-hosting a fully open-source passkey auth backend for an agent application to meet data sovereignty requirements
- • Adding drop-in passkey authentication to a Next.js or SvelteKit agent frontend via Hanko's pre-built web components
- • Issuing JWTs after passkey login that agents validate server-side using Hanko's JWKS endpoint
- • Federating social login (Google, GitHub) into Hanko as OAuth providers while keeping passkey as the primary credential
- • Migrating an existing user base to passkeys incrementally, using Hanko's email OTP as a bridge auth method during rollout
Not For
- • Teams that cannot run or maintain a self-hosted backend and need a fully managed zero-ops auth service
- • Applications requiring enterprise SAML 2.0 or LDAP integration out of the box without custom development
- • Highly regulated industries requiring a certified identity provider with formal compliance attestations beyond SOC2
Interface
Authentication
Hanko Cloud uses API keys for management; self-hosted instances use admin secrets. Authentication issues cookies or bearer JWTs; JWKS endpoint is available for server-side token validation.
Pricing
Open-source Apache 2.0 license; self-hosting is fully free. Hanko Cloud provides managed hosting with a generous free tier. No per-MAU charges on self-hosted deployments.
Agent Metadata
Known Gotchas
- ⚠ WebAuthn ceremonies require browser/device interaction — agents cannot complete passkey registration or authentication in a purely server-side or headless context
- ⚠ Self-hosted deployments require agents to manage JWKS key rotation independently; a failure to refresh JWKS after a key rotation causes all JWT validations to fail silently
- ⚠ Hanko's web components use shadow DOM, which can conflict with agent-generated UI frameworks that try to instrument or patch form elements for autofill or analytics
- ⚠ Email OTP codes expire in 5 minutes by default on self-hosted; if an agent orchestrates a multi-step flow before the user checks email, the OTP will be stale and require re-triggering
- ⚠ OAuth social login redirect URIs must be registered both in Hanko's config and in the OAuth provider's app settings; a mismatch causes a redirect_uri_mismatch error that is difficult to debug without access to both logs
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for Hanko.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-06.