openapi: 3.1.0 info: version: '1.2' title: passkey-server description: >- This API shall represent the private and public endpoints for passkey registration, management and authentication termsOfService: https://www.hanko.io/terms contact: email: developers@hanko.io url: https://www.hanko.io name: Hanko Dev Team license: url: https://www.gnu.org/licenses/gpl-3.0.de.html name: GPLv3 servers: - url: https://passkeys.hanko.io paths: /{tenant_id}/credentials: get: tags: - credentials summary: List Credentials description: Get a list of webauthn credentials operationId: get-credentials parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/user_id' - $ref: '#/components/parameters/tenant_id' - name: page in: query description: Page to start from schema: type: number default: 1 - name: per_page in: query description: How many logs should be displayed per page schema: type: number default: 20 - name: order in: query description: The sorting order of the list. Always sorted by `created at` schema: type: string enum: - asc - desc default: desc requestBody: description: '' content: {} responses: '200': $ref: '#/components/responses/get-credentials' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/credentials/{credential_id}: get: tags: - credentials summary: Get a credential description: Endpoint for getting details of a credential operationId: get-credentials-credentialId parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/credential_id' - $ref: '#/components/parameters/tenant_id' requestBody: description: '' content: {} responses: '200': $ref: '#/components/responses/get-credential' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io patch: tags: - credentials summary: Update Credential description: Endpoint for updating a webauthn credential operationId: patch-credentials-credentialId parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/credential_id' - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/patch-credential' responses: '204': description: No Content '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io delete: summary: Remove Credential description: Endpoint for removing a webauthn credential operationId: delete-credentials-credentialId parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/credential_id' - $ref: '#/components/parameters/tenant_id' responses: '204': description: No Content '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/registration/initialize: post: tags: - credentials summary: Start Passkey Registration description: Initialize a registration for webauthn credentials operationId: post-registration-initialize parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-registration-initialize' responses: '200': $ref: '#/components/responses/post-registration-initialize' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/registration/finalize: post: tags: - credentials summary: Finish Passkey Registration description: Finish credential registration process operationId: post-registration-finalize parameters: - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-registration-finalize' responses: '200': $ref: '#/components/responses/token' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/login/initialize: post: summary: Start Login description: Initialize a login flow for passkeys operationId: post-login-initialize parameters: - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-login-initialize' responses: '200': $ref: '#/components/responses/post-login-initialize' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/login/finalize: post: summary: Finish Login description: Finalize the login operation operationId: post-login-finalize parameters: - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-login-finalize' responses: '200': $ref: '#/components/responses/token' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/.well-known/jwks.json: get: tags: - credentials - webauthn summary: Well-known JWKS description: Endpoint for fetching JWKS operationId: get-.well-known-jwks.json parameters: - $ref: '#/components/parameters/tenant_id' responses: '200': $ref: '#/components/responses/jwks' servers: - url: https://passkeys.hanko.io /{tenant_id}/transaction/initialize: post: summary: Initialize a transaction description: Initializes a new transaction for an existing user operationId: post-tenant_id-transaction-initialize parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-transaction-initialize' responses: '200': $ref: '#/components/responses/post-login-initialize' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '409': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' servers: - url: https://passkeys.hanko.io /{tenant_id}/transaction/finalize: post: summary: Finalize transaction description: Finalize a transaction operationId: post-tenant_id-transaction-finalize parameters: - $ref: '#/components/parameters/X-API-KEY' - $ref: '#/components/parameters/tenant_id' requestBody: $ref: '#/components/requestBodies/post-login-finalize' responses: '200': $ref: '#/components/responses/token' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' servers: - url: https://passkeys.hanko.io /{tenant_id}/mfa/registration/initialize: post: tags: - credentials - mfa summary: Start MFA Registration description: Initialize a registration for mfa credentials operationId: post-mfa-registration-initialize parameters: - $ref: '#/components/parameters/X-API-KEY' - name: tenant_id in: path description: Tenant ID required: true schema: type: string requestBody: $ref: '#/components/requestBodies/post-registration-initialize' responses: '200': $ref: '#/components/responses/post-registration-initialize' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/mfa/registration/finalize: post: tags: - credentials - mfa summary: Finish MFA Registration description: Finish credential registration process operationId: post-mfa-registration-finalize parameters: - $ref: '#/components/parameters/X-API-KEY' - name: tenant_id in: path description: Tenant ID required: true schema: type: string requestBody: $ref: '#/components/requestBodies/post-registration-finalize' responses: '200': $ref: '#/components/responses/token' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/mfa/login/initialize: post: tags: - credentials - mfa summary: Start MFA Login description: Initialize a login flow for MFA operationId: post-mfa-login-initialize parameters: - $ref: '#/components/parameters/X-API-KEY' - name: tenant_id in: path description: Tenant ID required: true schema: type: string requestBody: $ref: '#/components/requestBodies/post-mfa-login-initialize' responses: '200': $ref: '#/components/responses/post-login-initialize' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/mfa/login/finalize: post: tags: - credentials - mfa summary: Finish MFA Login description: Finalize the login operation operationId: post-mfa-login-finalize parameters: - $ref: '#/components/parameters/X-API-KEY' - name: tenant_id in: path description: Tenant ID required: true schema: type: string requestBody: $ref: '#/components/requestBodies/post-login-finalize' responses: '200': $ref: '#/components/responses/token' '400': $ref: '#/components/responses/error' '401': $ref: '#/components/responses/error' '404': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io /{tenant_id}/audit_logs: get: summary: List audit log entries description: Get a list of audit logs operationId: get-tenants-tenant_id-audit_logs tags: - audit_logs parameters: - name: page in: query description: Page to start from schema: type: number default: 1 - name: per_page in: query description: How many logs should be displayed per page schema: type: number default: 20 - name: start_time in: query description: timestamp from where to start the list schema: type: string format: date-time - name: end_time in: query description: timestamp on which to end the list schema: type: string format: date-time - name: type in: query description: comma separated list of types to query for schema: type: string - name: actor_user_id in: query description: id of the user who performed the action schema: type: string - name: meta_source_ip in: query description: ip address from which the action was performed schema: type: string - name: q in: query description: the search string schema: type: string - $ref: '#/components/parameters/tenant_id' responses: '200': description: OK content: application/json: schema: type: array items: $ref: '#/components/schemas/audit_log' headers: Link: schema: type: string description: links to pages X-Total-Count: schema: type: number description: Total number of log entries '400': $ref: '#/components/responses/error' '500': $ref: '#/components/responses/error' security: [] servers: - url: https://passkeys.hanko.io tags: - name: credentials description: Represents all objects which are related to WebAuthn credentials - name: mfa description: Represents all objects which are related to MFA in common - name: webauthn description: Represents all objects which are related to WebAuthn in common - name: audit_logs description: Represents all objects which are related to audit logs components: parameters: user_id: name: user_id in: query description: representational id of the user required: false schema: type: string credential_id: name: credential_id in: path description: The ID of the webauthn credential required: true schema: type: string example: - 9c9U-4tB0glkGr3TEv39An3GVmg tenant_id: name: tenant_id in: path description: UUID of the tenant required: true schema: type: string format: uuid minLength: 36 maxLength: 36 example: - 1f496bcd-49da-4839-a02f-7ce681ccb488 X-API-KEY: name: apiKey in: header description: Secret API key required: true schema: type: string minLength: 32 requestBodies: patch-credential: content: application/json: schema: type: object properties: name: type: string required: - name post-registration-initialize: description: '' content: application/json: schema: type: object properties: user_id: type: string username: type: string maxLength: 128 icon: type: string display_name: type: string maxLength: 128 required: - user_id - username post-registration-finalize: content: application/json: schema: allOf: - $ref: '#/components/schemas/public-key-credential' - type: object properties: response: $ref: '#/components/schemas/authenticator-attestation-response' transports: type: array uniqueItems: true items: type: string required: - response post-login-finalize: content: application/json: schema: allOf: - $ref: '#/components/schemas/public-key-credential' - type: object properties: response: $ref: '#/components/schemas/autenticator-assertion-response' clientExtensionResults: type: object properties: appid: type: boolean appidExclude: type: boolean credProps: type: object properties: rk: type: boolean required: - response - clientExtensionResults post-transaction-initialize: content: application/json: schema: type: object properties: user_id: type: string transaction_id: type: string maxLength: 128 description: Needs to be a tenant-wide unique identifier transaction_data: type: object required: - user_id - transaction_id - transaction_data post-login-initialize: description: Body for login/initialize content: application/json: schema: type: object properties: user_id: type: string description: >- optional - when provided the API Key needs to be sent to the server too. post-mfa-login-initialize: content: application/json: schema: type: object properties: user_id: type: string required: - user_id responses: get-credentials: description: Example response content: application/json: schema: type: array uniqueItems: true items: $ref: '#/components/schemas/webauthn-credential' get-credential: description: Example response content: application/json: schema: $ref: '#/components/schemas/webauthn-credential' error: description: Error Response with detailed information content: application/json: schema: type: object properties: title: type: string example: - explanatory title details: type: string example: - Information which helps resolving the problem status: type: integer post-registration-initialize: description: Example response content: application/json: schema: type: object properties: publicKey: type: object properties: rp: $ref: '#/components/schemas/relying-party-entity' user: $ref: '#/components/schemas/public-key-user' challenge: type: string pubKeyCredParams: type: array items: $ref: '#/components/schemas/credential-parameter-entity' timeout: type: integer excludeCredentials: type: array items: $ref: '#/components/schemas/credential-descriptor-entity' authenticatorSelection: $ref: '#/components/schemas/authentication-selection-entity' attestation: type: string enum: - direct - enterprise - indirect - none extensions: type: object properties: appid: type: string appidExclude: type: string credProps: type: boolean required: - rp - user - challenge - pubKeyCredParams required: - publicKey post-login-initialize: description: Example response content: application/json: schema: type: object properties: publicKey: type: object properties: challenge: type: string timeout: type: integer rpId: type: string allowCredentials: type: array items: $ref: '#/components/schemas/credential-descriptor-entity' userVerification: type: string enum: - discouraged - preferred - required extensions: type: object properties: appid: type: boolean appidExclude: type: boolean credProps: type: object properties: rk: type: boolean required: - challenge mediation: type: string enum: - optional - required - silent jwks: description: Example response content: application/json: schema: type: object properties: keys: type: array minItems: 1 uniqueItems: true items: type: object additionalProperties: false properties: alg: type: string readOnly: true example: - RS256 e: type: string readOnly: true example: - AAAA kid: type: string format: uuid readOnly: true example: - 483b2499-1ed7-4325-94e3-97e8118ceee9 kty: type: string readOnly: true example: - RSA 'n': type: string readOnly: true use: type: string readOnly: true example: - sig minProperties: 6 minProperties: 1 token: description: Example response content: application/json: schema: type: object properties: token: type: string minProperties: 1 schemas: public-key-credential: title: public-key-credential allOf: - $ref: '#/components/schemas/credential' - type: object properties: rawId: type: string authenticatorAttachment: type: string enum: - cross-platform - platform - null required: - rawId credential: type: object title: credential properties: id: type: string type: enum: - public-key required: - id - type authenticator-attestation-response: title: authenticator-attestation-response allOf: - $ref: '#/components/schemas/authenticator-response' - type: object properties: attestationObject: type: string transports: type: array uniqueItems: true items: type: string required: - attestationObject authenticator-response: type: object title: authenticator-response properties: clientDataJSON: type: string required: - clientDataJSON autenticator-assertion-response: title: autenticator-assertion-response allOf: - $ref: '#/components/schemas/authenticator-response' - type: object properties: authenticatorData: type: string signature: type: string userHandle: type: string | null required: - authenticatorData - signature relying-party-entity: title: relying-party-entity allOf: - type: object properties: id: type: string - $ref: '#/components/schemas/credential-entity' credential-entity: type: object title: credential-entity properties: name: type: string required: - name public-key-user: type: object title: public-key-user properties: id: type: string displayName: type: string name: type: string required: - id - displayName - name credential-parameter-entity: type: object title: credential-parameter-entity properties: type: enum: - public-key alg: type: integer format: int32 required: - type - alg credential-descriptor-entity: type: object title: credential-descriptor-entity properties: type: enum: - public-key id: type: string transports: type: array uniqueItems: true items: type: string enum: - ble - hybrid - internal - nfc - usb required: - type - id authentication-selection-entity: type: object title: authentication-selection-entity properties: authenticatorAttachement: type: string enum: - cross-platform - platform requireResidentKey: type: boolean default: false residentKey: type: string enum: - discouraged - preferred - required userVerification: type: string enum: - discouraged - preferred - required webauthn-credential: title: webauthn-credential type: object properties: id: type: string name: type: string public_key: type: string attestation_type: type: string aaguid: type: string format: uuid minLength: 36 maxLength: 36 last_used_at: type: string format: date-time created_at: type: string format: date-time transports: type: array uniqueItems: true items: type: string backup_eligible: type: boolean default: false backup_state: type: boolean default: false is_mfa: type: boolean default: false required: - id - public_key - attestation_type - aaguid - created_at - transports - backup_eligible - backup_state - is_mfa audit_log: type: object title: audit_log properties: id: type: string format: uuid type: type: string error: type: string meta_http_request_id: type: string meta_source_ip: type: string meta_user_agent: type: string actor_user_id: type: string created_at: type: string format: date-time updated_at: type: string format: date-time tenant_id: type: string format: uuid required: - id - type - meta_http_request_id - meta_source_ip - meta_user_agent - created_at - updated_at - tenant_id