Hanko

Hanko is a Berlin-based, open-source authentication and user management platform built specifically for the passkey era. Founded in 2020, the company has positioned itself at the forefront of the passwordless authentication movement, offering developers a modern alternative to established identity providers like Auth0, Clerk, and Firebase Auth. With a FIDO2-certified server at its core, Hanko makes passkeys the default authentication method while providing carefully designed fallback mechanisms for situations where passkeys cannot yet be used. For European organizations seeking GDPR-compliant authentication that embraces the future of web security, Hanko represents one of the most compelling options available.

The timing of Hanko's founding could not have been more strategic. The industry's shift toward passwordless authentication has accelerated dramatically, with the W3C's WebAuthn Level 3 specification advancing through standardization and major platforms including Apple, Google, and Microsoft implementing passkey support across their ecosystems. As 2026 is widely expected to be the tipping point for large-scale passwordless adoption, Hanko is perfectly positioned as a developer-friendly platform that makes implementing this technology accessible to organizations of all sizes. Being a member of the FIDO Alliance further validates Hanko's commitment to industry standards.

Passkeys and WebAuthn at the Core

Hanko's primary differentiator is its passkey-first approach to authentication. Passkeys are cryptographic credentials stored on a user's device that replace passwords entirely. When a user registers or logs in, they authenticate using their device's biometric sensor (fingerprint or face recognition), a device PIN, or a security key. The private key never leaves the user's device, and no shared secret is transmitted over the network, making passkeys fundamentally resistant to phishing, credential stuffing, and server-side data breaches. Even if an attacker compromises the server, they cannot extract credentials that would allow them to impersonate users.

Hanko implements the WebAuthn standard (Web Authentication API) and the underlying FIDO2 protocol, ensuring compatibility with all major browsers and operating systems. The platform's FIDO2 server is certified by the FIDO Alliance, providing assurance that it correctly implements the specification. This standards-based approach means that passkeys created through Hanko work with the same cross-device synchronization features offered by Apple Keychain, Google Password Manager, and Windows Hello, enabling users to access their accounts seamlessly across their devices.

Drop-in UI Components

One of Hanko's most developer-friendly features is its library of pre-built, customizable UI components called Hanko Elements. These web components provide complete authentication flows including registration, login, passkey management, and profile management that can be embedded into any web application with just a few lines of code. The components handle the complex WebAuthn ceremony, fallback flows, and error handling automatically, allowing developers to implement passwordless authentication without becoming experts in the underlying cryptographic protocols.

Hanko Elements are framework-agnostic, working with React, Vue, Angular, Svelte, Next.js, Nuxt, and plain HTML/JavaScript. The components are fully customizable through CSS variables and shadow DOM styling, allowing them to match any application's design system. For teams that need more control, Hanko also provides a JavaScript SDK and REST API that enable building completely custom authentication flows while leveraging Hanko's backend for the heavy lifting of passkey management and user identity.

Authentication Methods and Fallbacks

While passkeys are the primary authentication method, Hanko recognizes that not all users and devices support them yet. The platform provides a thoughtfully designed fallback hierarchy that includes email passcodes (one-time codes sent to the user's email), traditional passwords with optional multi-factor authentication, social login through OAuth providers like Google, Apple, GitHub, and Microsoft, and enterprise single sign-on via SAML. This layered approach ensures that applications built with Hanko can authenticate every user regardless of their device capabilities, while gently encouraging adoption of passkeys when available.

The email passcode fallback is particularly well-designed. Rather than requiring users to remember yet another password, Hanko sends a time-limited code to the user's registered email address. This provides a passwordless experience even on devices that do not yet support passkeys, maintaining the security benefits of not storing passwords while ensuring accessibility. Over time, as passkey support becomes universal, these fallback methods become less frequently needed.

Self-Hosted and Cloud Options

Hanko offers both self-hosted and cloud-hosted deployment options, giving organizations flexibility in how they manage their authentication infrastructure. The self-hosted option is open-source under the AGPL license, meaning organizations can run Hanko on their own infrastructure with full control over user data, authentication flows, and system configuration. This is particularly valuable for European organizations subject to GDPR that need to ensure user authentication data never leaves their controlled environment.

The Hanko Cloud offering provides a fully managed authentication service that eliminates the need to maintain infrastructure, handle updates, and ensure high availability. Cloud plans are designed for teams that want to get started quickly without DevOps overhead. Both deployment options provide the same feature set, so organizations can start with the cloud and migrate to self-hosting later, or vice versa, without changing their application integration code.

Developer Experience and Integration

Hanko has invested heavily in developer experience, providing comprehensive documentation, quickstart guides for popular frameworks, and example applications. The platform offers official integration guides for Next.js, Nuxt, SvelteKit, Fresh (Deno), and other modern frameworks. The REST API follows conventional patterns and is well-documented with OpenAPI specifications. SDKs are available for JavaScript/TypeScript, with the community contributing support for additional languages.

Integration typically involves three steps: configuring Hanko (either cloud or self-hosted) with your application's settings, embedding Hanko Elements or using the SDK for authentication flows, and validating Hanko-issued JWTs in your backend to protect API routes. The JWT-based session management is compatible with any backend framework, and Hanko provides middleware examples for Express, Fastify, Go, and other popular server technologies. This standard approach means Hanko integrates cleanly with existing application architectures without requiring wholesale changes to session management.

Security Architecture

Hanko's security architecture is built on proven cryptographic standards. The FIDO2 server handles all WebAuthn ceremonies, ensuring that cryptographic operations are performed correctly and that attestation and assertion verification follows the specification. User sessions are managed through signed JWTs with configurable expiration, and the platform supports token rotation and revocation. The open-source nature of the codebase means that security researchers and the community can audit the implementation, and Hanko actively encourages responsible disclosure of vulnerabilities.

By eliminating passwords as the primary authentication method, Hanko removes the most common attack vector in web security. There are no passwords to steal in a database breach, no credentials to phish, and no passwords for users to reuse across multiple services. The passkey-first approach represents a fundamental improvement in authentication security compared to traditional password-based systems, even those augmented with multi-factor authentication.

Passkey API for Existing Systems

For organizations that already have an authentication system but want to add passkey support, Hanko offers a standalone Passkey API. This provides the same WebAuthn endpoints that power Hanko's full authentication platform but designed to be integrated into any existing authentication implementation. This means developers can add passkeys alongside their current login methods without replacing their entire authentication stack, providing a gradual migration path toward passwordless authentication.

Privacy and GDPR Compliance

As a German company, Hanko operates under some of the strictest data protection laws in the world. The platform is designed with privacy-first principles including data minimalism, collecting only the information strictly necessary for authentication. When self-hosted, all user data remains on your infrastructure within your chosen jurisdiction. The open-source codebase can be audited to verify data handling practices, and Hanko does not include any telemetry or data collection that sends information back to Hanko's servers in the self-hosted version. This combination of German jurisdiction, open-source transparency, and self-hosting capability makes Hanko one of the most privacy-friendly authentication solutions available.

Pricing and Plans

Hanko's open-source self-hosted version is free for all use cases with no user limits or feature restrictions. The Hanko Cloud service offers a free tier for development and small projects, with paid plans starting for production use that scale based on monthly active users. Enterprise plans include dedicated support, SLA guarantees, and custom configurations. The pricing is competitive with other authentication-as-a-service providers while offering the unique advantage of a full self-hosted option as a fallback.

Community and Ecosystem

Hanko maintains an active open-source community with contributions from developers worldwide. The project is hosted on GitHub where it has garnered significant attention from the developer community. Hanko also operates passkeys.io, a testing tool that helps developers experiment with passkeys in their browsers, which has become a valuable resource for the broader WebAuthn community. The team regularly publishes blog posts and guides about passkey implementation, WebAuthn standards, and authentication best practices, establishing themselves as thought leaders in the passwordless authentication space.

Who Should Use Hanko?

Hanko is ideal for developers and organizations that want to implement modern, passwordless authentication. It is particularly well-suited for European companies needing GDPR-compliant authentication with optional self-hosting, startups and SaaS companies building new applications that want to offer passkey-first login, organizations looking to reduce support costs and security risks associated with password management, developers who value open-source solutions with clean APIs and comprehensive documentation, and any organization planning to adopt passkeys as part of their security roadmap. If you believe the future of authentication is passwordless and want a European, open-source platform to get there, Hanko is one of the most compelling choices available today.