Hanko is a self-hostable, API-first authentication platform built for developers who want full control over user data without relying on proprietary SaaS solutions. It provides modern authentication methods including passkeys, passwordless email passcodes, MFA, OAuth SSO, and SAML — all designed with GDPR compliance and data minimalism in mind. Built in Go and powered by WebAuthn and FIDO2, Hanko supports both web components and SDKs for seamless integration into any frontend stack.
The platform is designed for cloud-native deployment via Docker or bare metal, with a modular architecture consisting of a backend API, frontend web components (Hanko Elements), and JavaScript SDKs. It offers flexible configuration for passwordless, social-only, or passkeys-only flows, and supports both self-hosted and managed cloud deployments through Hanko Cloud, eliminating vendor lock-in.
What You Get
- Passkeys & WebAuthn Support - Enables passwordless login using biometric or hardware keys via FIDO2/WebAuthn standards, with fallback to email passcodes for device compatibility.
- OAuth SSO (Apple, Google, GitHub) - Built-in social login integration with configurable providers, allowing users to sign in with their existing accounts without passwords.
- SAML Enterprise SSO - Supports SAML 2.0 for enterprise identity providers, enabling single sign-on with Okta, Azure AD, or other SAML-compliant IdPs.
- Hanko Elements Web Components - Framework-agnostic, customizable UI components for login, registration, and profile management that work with any frontend stack via standard web components.
- MFA with TOTP & Security Keys - Supports two-factor authentication using time-based one-time passwords (TOTP) and physical security keys via WebAuthn.
- Email & Username Identifiers - Allows users to sign in with either email or username, with configurable requirements and verification workflows.
- Server-Side Sessions & Remote Revocation - Manages user sessions server-side with ability to revoke active sessions remotely for security compliance.
- Custom OIDC/OAuth Connections - Configure custom identity providers using OIDC or OAuth 2.0 protocols for proprietary or niche SSO integrations.
- Webhooks for Event Triggers - Receive real-time notifications for user sign-ups, logins, session events, and password changes to sync with internal systems.
- JS SDK for Custom UIs - A client-side JavaScript SDK that handles API communication, session state, and authentication flows for developers building custom authentication interfaces.
Common Use Cases
- Building a passwordless SaaS product - A startup uses Hanko to replace password-based logins with passkeys and email passcodes, reducing support tickets and improving security without requiring users to remember credentials.
- Implementing enterprise SSO for B2B apps - A company integrates SAML SSO via Hanko to allow customers to log in using their existing corporate identity providers like Azure AD or Okta.
- Launching a privacy-focused app in Europe - A developer deploys Hanko self-hosted in the EU to ensure GDPR compliance, keeping all user authentication data on their own infrastructure.
- Replacing Auth0 in a legacy system - A team migrates from Auth0 to Hanko to avoid vendor lock-in, using Hanko Elements to maintain UI consistency while gaining full data ownership and lower costs.
Under The Hood
Architecture
- Clear monorepo structure separating backend, frontend, and deployment concerns with well-defined boundaries
- Layered backend design with HTTP handlers decoupled from business logic via service and repository layers
- Dependency injection implemented through a custom container pattern, enabling flexible substitution of storage and service implementations
- Domain-driven modules for identity, storage, and email with clear interfaces and encapsulated responsibilities
- Frontend built with React and TypeScript using a reusable component library that consumes typed API clients
- Kubernetes deployments managed via Skaffold and Kustomize, ensuring environment-aware configurations without duplication
Tech Stack
- Go backend leveraging standard library and trusted x packages, avoiding external web frameworks
- React and TypeScript frontend with Vite for fast development and @hanko/elements for consistent UI components
- PostgreSQL as the primary datastore with go-migrate for schema versioning and evolution
- Docker-based containerization with Skaffold orchestrating multi-service builds and Kubernetes manifests
- Comprehensive testing using Go’s native tooling and Jest/React Testing Library for full-stack validation
- CI/CD powered by GitHub Actions and Helm charts for automated, reliable deployments
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with clear validation of success and failure paths
- Strong separation of concerns across layers, promoting maintainability and testability
- Robust error handling with descriptive messages, though custom error types are inconsistently applied
- Consistent Go idioms in naming and structure, with clear test suite conventions
- Strong type safety through well-defined data structures, configuration models, and validation layers
- Effective mocking and test utilities to isolate external dependencies and ensure deterministic behavior
What Makes It Unique
- Composite device trust cookie system that stores multiple device bindings with automatic legacy format migration, eliminating server-side session storage
- End-to-end WebAuthn UI with dynamic credential management integrated directly into the interface, removing reliance on external password managers
- Contextual i18n system that adapts UI elements based on authentication state and credential type for a seamless user experience
- Atomic, reusable component library that unifies authentication, profile, and security UIs without duplication
- Unified SDK architecture that synchronizes frontend state with backend authentication flows for declarative UI rendering
- Embedded, zero-dependency email rendering engine that enables full customization without third-party email services