// the find
teamhanko/hanko
Modern authentication, on your terms. Open source alternative to Auth0, Clerk, WorkOS, Stytch.
Hanko is a self-hostable authentication backend written in Go that covers the full modern auth stack: passkeys, passwords, email passcodes, TOTP/security key MFA, OAuth social logins, and SAML SSO. It ships with drop-in web components so you can get a working login UI without writing frontend code. Target audience is teams who want Auth0-level features without the Auth0 bill or the data residency compromise.
1. The flow-based state machine architecture (flowpilot) is a genuinely good design — auth flows are explicit directed graphs rather than scattered middleware, which makes auditing and customizing them tractable. 2. First-class passkey support with FIDO2/WebAuthn baked in from the start, not bolted on — the credential onboarding and assertion flows are separate, cleanly separated modules. 3. JWK management supports both local DB storage and AWS KMS, which means you can run it without a KMS dependency locally but harden it properly in production without code changes. 4. The split between public API and admin API is enforced at the router level, not just by convention — admin endpoints are on a separate port, so you can firewall them without application-layer logic.
1. AGPL-3.0 on the backend is a real adoption blocker for commercial products — you either open-source your app or pay for a commercial license, and that conversation often kills the evaluation before it starts. 2. Organizations/Roles/Permissions are still on the roadmap (marked ⚙️), so if you need any kind of multi-tenant RBAC you're building it yourself on top of the JWT claims. 3. The config surface is enormous — the config directory alone has 20+ files covering every subsystem, and the YAML schema is the only documentation for most of it; misconfiguration is easy and the error messages are not always helpful. 4. Mobile SDKs (iOS, Android, React Native, Flutter) are listed as not yet available, so if your app isn't purely web-based you'll be rolling your own WebAuthn/passkey integration and just hitting the API, which largely defeats the value of the pre-built components.