generated: '2026-07-15' method: generated source: openapi/hanko-admin-api-openapi.yml, openapi/hanko-flow-api-openapi.yml, openapi/hanko-passkey-api-openapi.yml, openapi/hanko-public-api-openapi.yml description: Recommended x-agentic-access execution contracts, classified heuristically from the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind audience per deployment. See research/curity/agentic-governance/. summary: operations: 84 by_action_class: connected: 31 acting: 53 by_consequence: read: 31 write: 53 human_in_the_loop_required: 0 operations: - path: / method: get operationId: status x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users method: get operationId: listUsers x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users method: post operationId: createUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id} method: delete operationId: deleteUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id} method: get operationId: getUser x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id} method: patch operationId: patchUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /audit_logs method: get operationId: listAuditLogs x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /metrics method: get operationId: getMetrics x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /webhooks method: get operationId: list-webhooks x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /webhooks method: post operationId: create-db-webhooks x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webhooks/{id} method: get operationId: get-webhooks-id x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /webhooks/{id} method: delete operationId: delete-webhooks-id x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webhooks/{id} method: put operationId: put-webhooks-id x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/emails method: get operationId: get-users-id-emails x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/emails method: post operationId: post-users-id-emails x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/emails/{email_id} method: get operationId: get-users-id-emails-email_id x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/emails/{email_id} method: delete operationId: delete-users-emails-email_id x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/emails/{email_id}/set_primary method: post operationId: post-users-emails-email_id-set_primary x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/metadata method: get operationId: get-user-metadata x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/metadata method: patch operationId: patch-user-metadata x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/sessions method: get operationId: get-users-sessions x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/sessions/{session_id} method: delete operationId: delete-users-sessions-session_id x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/otp method: get operationId: get-users-otp x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/otp method: delete operationId: delete-users-otp x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/webauthn_credentials method: get operationId: get-users-webauthn_credentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/webauthn_credentials/{credential_id} method: get operationId: get-users-webauthn_credentials-credential_id x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/webauthn_credentials/{credential_id} method: delete operationId: delete-users-webauthn_credentials-credential_id x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/password method: get operationId: get-users-password x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /users/{id}/password method: post operationId: post-users-password x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/password method: put operationId: put-users-password x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id}/password method: delete operationId: delete-users-password x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sessions method: post operationId: post_sessions x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /registration method: post x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /login method: post x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /profile method: post x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /token_exchange method: post x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/credentials method: get operationId: get-credentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{tenant_id}/credentials/{credential_id} method: get operationId: get-credentials-credentialId x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{tenant_id}/credentials/{credential_id} method: patch operationId: patch-credentials-credentialId x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/credentials/{credential_id} method: delete operationId: delete-credentials-credentialId x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/registration/initialize method: post operationId: post-registration-initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/registration/finalize method: post operationId: post-registration-finalize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/login/initialize method: post operationId: post-login-initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/login/finalize method: post operationId: post-login-finalize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/.well-known/jwks.json method: get operationId: get-.well-known-jwks.json x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /{tenant_id}/transaction/initialize method: post operationId: post-tenant_id-transaction-initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/transaction/finalize method: post operationId: post-tenant_id-transaction-finalize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/mfa/registration/initialize method: post operationId: post-mfa-registration-initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/mfa/registration/finalize method: post operationId: post-mfa-registration-finalize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/mfa/login/initialize method: post operationId: post-mfa-login-initialize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/mfa/login/finalize method: post operationId: post-mfa-login-finalize x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /{tenant_id}/audit_logs method: get operationId: get-tenants-tenant_id-audit_logs x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: / method: get operationId: status x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /passcode/login/initialize method: post operationId: passcodeInit x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /passcode/login/finalize method: post operationId: passcodeFinal x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /password/login method: post operationId: passwordLogin x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /password method: put operationId: password x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/login/initialize method: post operationId: webauthnLoginInit x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/login/finalize method: post operationId: webauthnLoginFinal x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/registration/initialize method: post operationId: webauthnRegInit x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/registration/finalize method: post operationId: webauthnRegFinal x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/credentials method: get operationId: listCredentials x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /webauthn/credentials/{id} method: patch operationId: updateCredential x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /webauthn/credentials/{id} method: delete operationId: deleteCredential x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /.well-known/jwks.json method: get operationId: getJwks x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /.well-known/config method: get operationId: getConfig x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /saml/provider method: get operationId: get-saml-provider x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /saml/metadata method: get operationId: get-saml-metadata x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /saml/callback method: post operationId: post-saml-callback x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /sessions/validate method: get x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /sessions/validate method: post x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /thirdparty/auth method: get operationId: thirdPartyAuth x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /thirdparty/callback method: get operationId: thirdPartyCallback x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /token method: post operationId: token x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /user method: post operationId: getUserId x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /user method: delete operationId: deleteUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /me method: get operationId: IsUserAuthorized x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /logout method: post operationId: logout x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users method: post operationId: createUser x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /users/{id} method: get operationId: listUser x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /emails method: get operationId: listEmails x-agentic-access: action-class: connected consequence: read subject: optional token: max-ttl: 3600 audit: none - path: /emails method: post operationId: createEmail x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /emails/{id}/set_primary method: post operationId: setPrimaryEmail x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required - path: /emails/{id} method: delete operationId: deleteEmail x-agentic-access: action-class: acting consequence: write subject: required audience: null token: max-ttl: 900 escalation: human-in-the-loop: conditional triggers: - abnormal - high-value audit: required