Hanko
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
Hanko is the open-source passkey-first CIAM in 2026, orchestration quality at the level of Stytch, but with AGPL self-host as an option and EU data sovereignty by default. For B2C consumer apps where passkey adoption is the goal and B2B Enterprise SSO is not the priority, Hanko is one of the strongest picks. For B2B SaaS or compliance-heavy workloads, the narrow scope shows.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- B2C consumer apps prioritizing high passkey adoption with self-host option
- Pricing
- tiered-mau
- Free tier
- 10,000 MAU
- Deployment
- cloud-saas, self-hosted
- SOC 2 Type II
- Partial
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $1.5M
- Latest round
- Seed · $1.3M · 2023
- Years in business
- 6 yrs
- Round led by
- adesso ventures
- Profitable
- Not disclosed
German open-source passkey APIs; seed from HTGF (2020) and a €1.2M round led by adesso ventures (2023).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Best-in-class passkey orchestration among open-source CIAM, conditional UI, device-aware prompting, fallback design, with AGPL self-hostability.
- Hanko Elements (web components) ship a pre-built passkey-first login UI that drops into any framework without theming work.
- Strong DX with idiomatic SDKs across JS frameworks (React, Next, Vue, Svelte) plus Go for backend.
- EU-headquartered with EU data residency and GDPR-first product design.
Limitations
- Authorization is rudimentary, RBAC is partial, no FGA, no ABAC. Pair with OpenFGA / Authzed if needed.
- Compliance footprint is narrow, SOC 2 in progress, ISO 27001 not yet, no HIPAA / FedRAMP / PCI DSS.
- B2B Organizations and Enterprise SAML are partial; Hanko is B2C-passkey-first, not a full B2B platform.
- Smaller community and ecosystem than Auth0 / Stytch / Clerk.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | No |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Partial |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Partial |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Yes |
| RBAC | Partial |
|---|---|
| ABAC | No |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | No |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Partial |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Partial |
| Multi-tenancy | Partial |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, svelte, go |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Webhooks + custom UI elements (web components) |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | No |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Partial |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $99/mo |
|---|---|
| 100,000 MAU | $700/mo |
| 500,000 MAU | $2,400/mo |
| 1,000,000 MAU | $4,500/mo |
- Hanko Cloud is per-MAU; self-hosted Community edition is AGPL-licensed and free
- Self-hosted Pro / Enterprise licenses available for commercial-use compliance
- Pre-built UI web components (Hanko Elements) included at all tiers
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- B2C consumer apps prioritizing high passkey adoption with self-host option
- EU-based products needing GDPR-first design and EU data residency
- Teams that want a passkey-first product with both managed and self-hosted options
Not for
- B2B SaaS requiring deep Enterprise SSO and Organizations
- Workloads requiring HIPAA, PCI DSS, ISO 27001, or FedRAMP
- Authorization-heavy use cases requiring FGA or ABAC at scale
FAQ
- How does Hanko's passkey support compare to Stytch?
- Both ship best-in-class passkey orchestration. Hanko's Elements (pre-built web components) make the rollout faster for teams using major JS frameworks; Stytch's flow-level orchestration covers more enrollment edge cases. Adoption rates among customers of both are at the top of the market, 30–50%+ within six months when properly deployed.
- What does AGPL mean for self-hosted Hanko?
- AGPL requires that any modifications to Hanko itself be released under AGPL if you offer Hanko as a network service. For most teams running Hanko as part of their own application, this is a non-issue. Hanko also offers commercial Pro / Enterprise self-hosted licenses for organizations whose legal team prefers traditional commercial terms.
- Can Hanko handle B2B SaaS authentication?
- Partially, basic multi-tenancy and OIDC SSO work, but Organizations / Enterprise SAML / SCIM are not at the maturity of WorkOS, Frontegg, or Auth0 B2B. For B2B-first SaaS, look elsewhere; for B2C with light B2B needs, Hanko is workable.
Sources
- Hanko Pricingaccessed 2026-04-22
- Hanko Documentationaccessed 2026-04-22
- Hanko GitHubaccessed 2026-04-22
What Hanko is
Hanko launched in 2020 in Kiel, Germany, with a tightly-scoped thesis: most CIAM vendors shipped WebAuthn support but few shipped the orchestration layer that turns it into adoption. The Hanko product is built passkey-first from the ground up, Elements (pre-built web components for React / Next / Vue / Svelte) drop a passkey-first login UI into any app, and the backend handles the conditional UI, device-aware prompting, and fallback flow design that teams would otherwise need to build themselves.
Where Hanko wins
The passkey orchestration is at parity with Stytch and Descope, meaning customer adoption rates land in the 30–50% range when deployed with the default flows, materially above the orchestration-light market median. Among open-source CIAM, Hanko is unique in shipping this quality of orchestration with a self-host option.
Hanko Elements (web components) is the underrated product. A team can replace a custom login form with <hanko-auth> and have a passkey-first registration and login flow without theming, branding work, or framework-specific glue code. For teams that want passkeys without building the UI, this is the fastest path in the index.
EU-headquartered with EU data residency by default. For European products with GDPR sensitivity or wariness of US data jurisdiction, this is a meaningful trust signal. Self-hosting via AGPL Community edition gives teams full data sovereignty.
DX is high for the OSS CIAM tier, modern docs, idiomatic SDKs, fast onboarding.
Where Hanko hurts
Authorization is rudimentary. RBAC is partial, no ABAC, no FGA. For applications that need anything beyond "is this user authenticated and what role do they have," pair with OpenFGA, Authzed, or Permify.
Compliance is the narrowest in the index. SOC 2 Type II is in progress as of late 2025; ISO 27001, HIPAA, PCI DSS, and FedRAMP are not yet attested. For consumer apps in regulated industries or B2B SaaS shipping into compliance-conscious enterprise, this is disqualifying.
The B2B story is partial. Multi-tenancy and OIDC SSO work, but Organizations / Enterprise SAML / SCIM Directory Sync are not at the maturity of WorkOS, Frontegg, or Auth0 B2B. Hanko is a B2C-passkey-first product; B2B SaaS should pick a B2B-first vendor instead.
The community and ecosystem are smaller than Auth0 or Clerk's. Stack Overflow coverage is thin; partner integrations are limited.
How Hanko compares
The most direct comparisons are Stytch vs Hanko for the passkey-first call and Hanko vs Corbado for the OSS-passkey-specialist call. For broader OSS CIAM, Keycloak, FusionAuth, and Ory are the alternatives. For passkey orchestration as a layer in front of any underlying CIAM, Authsignal and Corbado are the specialist picks.