Hanko

What Is Hanko?

The word "hanko" comes from the Japanese concept of a personal seal — a stamp used for centuries as a signature and mark of identity. It is a fitting name for a company that wants to reimagine how digital identity works.

Hanko was founded in 2020 in Kiel, Germany, during a period when the authentication industry was approaching an inflection point. Passwords had been the default for decades, despite being the single largest attack vector for account breaches. The FIDO Alliance had published the WebAuthn standard, Apple and Google were beginning to build passkey support into their operating systems, and the industry consensus was shifting: passwords needed to die.

The Hanko team saw an opportunity. Existing authentication providers like Auth0 and Firebase Auth were built around passwords first, with passkeys bolted on as an option. Hanko took the opposite approach — passkeys first, with fallback methods available for users whose devices did not yet support them. This is not just a philosophical difference; it shapes the entire product architecture, from the login UI components to the backend credential storage.

Today, Hanko provides an open-source authentication platform with drop-in web components, a managed cloud service with EU hosting, and a self-hosting option for teams that need complete data sovereignty. It is purpose-built for developers who want to implement modern, passwordless authentication without building it from scratch.

Key Features

Passkey-First Authentication

Hanko's core proposition is that passkeys should be the default, not an afterthought. When a user signs up or logs in, the platform prioritises passkey creation and authentication via WebAuthn/FIDO2. On supported devices — which now includes all recent versions of iOS, Android, macOS, Windows, and Chrome — this means biometric authentication (fingerprint, face) or device PIN, with the cryptographic credential stored securely on the device.

The practical benefit is significant: passkeys are phishing-resistant by design, cannot be reused across sites, and eliminate the entire category of password-related attacks. For developers, Hanko handles the WebAuthn ceremony, credential management, and cross-device passkey sync without requiring deep knowledge of the underlying cryptographic protocols.

Drop-In Web Components

One of Hanko's smartest design decisions is packaging the authentication UI as web components. Instead of building login forms from scratch and wiring up API calls, developers add Hanko's <hanko-auth> and <hanko-profile> elements to their pages. These components handle the entire login flow — passkey prompt, email passcode fallback, social login — with a customisable UI that adapts to the application's design system.

The components work with any frontend framework: React, Next.js, Vue, Svelte, Angular, or plain HTML. For a typical integration, a developer can go from zero to working authentication in under an hour. This speed-to-implementation is Hanko's biggest practical advantage over building custom authentication or configuring more complex identity platforms.

Open-Source and Self-Hostable

Hanko's server is fully open-source, which means three things: you can audit the code, you can contribute to it, and you can self-host it. Self-hosting via Docker gives organisations complete control over user credentials and session data — nothing leaves your infrastructure. For organisations in regulated sectors or those with strict data residency requirements, this is not a convenience but a necessity.

The open-source model also means no vendor lock-in. If Hanko Cloud changes pricing or direction, you can migrate to self-hosted without losing functionality. Your user data and passkey credentials remain portable.

Social Login Integration

While passkeys are the primary authentication method, Hanko recognises that not every user is ready for passwordless login. Social login support (Google, Apple, GitHub, and others) provides familiar alternatives. Email passcodes offer another fallback — a one-time code sent to the user's email, eliminating passwords while maintaining broad device compatibility.

This layered approach is pragmatic. It lets developers adopt passkey-first authentication today without forcing it on users whose devices or habits have not caught up.

User Management

Hanko includes a user management dashboard for viewing, searching, and managing user accounts. Session management lets administrators revoke active sessions, and webhook events can trigger downstream processes when users sign up, log in, or update their profiles. These are table-stakes features for any authentication platform, and Hanko covers them without requiring external tooling.

Pricing

Hanko's pricing reflects its open-source-first philosophy. The self-hosted version is completely free with no user limits — you pay only for your own infrastructure. For teams that prefer managed hosting, Hanko Cloud offers a free tier with a generous monthly active user allowance, making it viable for startups and side projects.

The Pro tier adds custom branding, higher MAU limits, and priority support. Enterprise pricing is custom and includes dedicated support, SLAs, and onboarding assistance. Compared to Auth0, which charges per active user and can reach thousands of euros monthly at scale, Hanko's pricing is dramatically more accessible — especially when self-hosting removes the per-user cost entirely.

The value proposition is strongest for early-stage startups and small teams who want production-ready authentication without recurring auth costs, and for privacy-conscious organisations that need self-hosted deployment without paying enterprise licensing fees.

EU Compliance & Data Privacy

As a German company (Hanko GmbH, Kiel), Hanko operates under EU jurisdiction by default. Hanko Cloud hosts user data in EU data centres, with no data transfers to non-EU jurisdictions. The platform does not embed third-party tracking or analytics in authentication flows, which matters for organisations that need to minimise data processor relationships.

The self-hosting option provides the strongest possible compliance posture: user credentials never leave your infrastructure, and you control every aspect of data retention, logging, and access. For organisations subject to GDPR's data minimisation principles, this is the cleanest architecture available.

Passkeys themselves are inherently privacy-friendly. Unlike passwords stored in databases (which can be breached), passkey private keys never leave the user's device. The server only stores a public key, which is useless without the corresponding private key. This design reduces the risk surface for authentication data breaches.

Who It's Best For

Developers building new applications who want to implement passkey-first authentication without building it from scratch. Hanko's drop-in components and clear documentation make this achievable in hours, not weeks.

Privacy-conscious startups that need GDPR-compliant authentication with the option to self-host. The free tier and open-source model eliminate the financial barrier that enterprise auth platforms impose.

European SaaS companies that want to offer passwordless login to their users while keeping authentication data in EU infrastructure, using a provider that is itself EU-based.

Security-focused teams who recognise that passwords are the weakest link and want to move to phishing-resistant authentication as a default.

The Verdict

Hanko is a bet on where authentication is heading. With Apple, Google, and Microsoft all pushing passkeys, the direction is clear — passwords are on their way out. Hanko gives developers the tools to get there today, with an open-source foundation, EU hosting, and integration simplicity that larger auth platforms cannot match. It is still maturing: enterprise features, mobile SDKs, and ecosystem breadth lag behind Auth0. But for teams that want to build passwordless-first and value data sovereignty, Hanko is the European answer worth watching.

Frequently Asked Questions

Is Hanko GDPR compliant?

Yes. Hanko is a German company with cloud infrastructure hosted in the EU. The open-source option allows full self-hosting for complete data sovereignty. No third-party tracking is embedded in authentication flows.

Can I self-host Hanko?

Yes. Hanko is fully open-source and can be self-hosted using Docker or direct deployment. Self-hosting gives you complete control over user data with no dependency on Hanko's cloud services.

How does Hanko compare to Auth0?

Hanko is passkey-first and open-source, making it ideal for teams that want passwordless authentication with EU data sovereignty. Auth0 offers a broader identity platform with more enterprise features but is US-based (Okta-owned) and significantly more expensive at scale.

What are passkeys and why do they matter?

Passkeys are cryptographic credentials stored on user devices that replace passwords. They are phishing-resistant, cannot be reused across sites, and provide a faster login experience. Apple, Google, and Microsoft are all pushing passkeys as the future of authentication.

Does Hanko support social login?

Yes. Hanko supports social login with providers including Google, Apple, GitHub, and others. Social login can be used alongside passkeys, giving users multiple authentication options.