# Hanko (Passkey Auth) MCP MCP

> Hanko (Passkey Auth) manages passwordless user identity and credentials using WebAuthn standards. Initialize passkey registrations, finalize secure logins, manage stored keys, or sign sensitive transactions—all from one place.

## Overview
- **Category:** developer-tools
- **Price:** Free
- **Tags:** authentication, passkeys, passwordless, webauthn, user-management, security

## Description

This MCP lets you build authentication flows that don't rely on passwords. You get a centralized way to handle the whole lifecycle of user identity. Instead of managing complex backend logic for key exchange and session validation, your agent calls simple tools here. It handles everything from getting initial credentials ready for registration to finalizing a high-value transaction using passkeys.

When you connect this MCP through Vinkius, your AI client can execute these advanced security flows just by reading natural language requests. You can audit user access history and manage credentials without writing boilerplate WebAuthn code yourself. It’s about getting past the password screen reliably, whether it's for a simple sign-in or authorizing a payment.

## Tools

### admin_create_user
Creates a brand new user record using the administrative API tools.

### admin_get_user
Retrieves all details for an existing user by their unique ID.

### admin_list_user_credentials
Lists every WebAuthn credential attached to a specified user account.

### admin_list_users
Provides an exhaustive list of all users managed within the system's administrative scope.

### flow_execute
Runs a pre-defined Hanko Flow action, useful for automated processes.

### passkey_delete_credential
Removes a specific WebAuthn credential from a user's account.

### passkey_list_credentials
Lists all currently registered WebAuthn credentials for a given user ID.

### passkey_login_finalize
Completes and validates the session after a successful passkey login attempt.

### passkey_login_init
Initiates the passkey login sequence by providing public key options for client-side use.

### passkey_registration_finalize
Finalizes a new user's registration after they have successfully created and confirmed their passkey.

### passkey_registration_init
Initiates the passkey registration sequence, generating public key options for client-side use.

### passkey_transaction_finalize
Completes a sensitive transaction by requiring and validating a user's passkey signature.

### passkey_transaction_init
Prepares the necessary data to initialize a passkey-signed transaction for an existing user, such as payment confirmation.

### public_get_jwks
Retrieves the JSON Web Key Set (JWKS) used by your system for public token verification checks.

### public_validate_session
Validates whether a provided Hanko session token is legitimate and still active.

## Prompt Examples

**Prompt:** 
```
Initialize a passkey registration for user 'user_789' with username 'alice_dev'.
```

**Response:** 
```
I've initialized the registration. Here are the WebAuthn options for 'alice_dev' (User ID: user_789). You can now use these to call navigator.credentials.create() on your frontend.
```

**Prompt:** 
```
List all registered credentials for user ID 'usr_12345'.
```

**Response:** 
```
I found 2 registered credentials for user 'usr_12345'. One is a 'FaceID' passkey created on 2023-10-12, and the other is a 'YubiKey' registered on 2023-11-05.
```

**Prompt:** 
```
Create a new user in Hanko with the ID 'new_customer_001'.
```

**Response:** 
```
User 'new_customer_001' has been successfully created in your Hanko project. You can now proceed to initialize passkey registration for them.
```

## Capabilities

### Initiate Passkey Registration
Generates the necessary options to start the process of linking a new passkey to a user account.

### Finalize User Login Flow
Completes a secure sign-in when a user successfully authenticates with their registered passkey.

### Manage Credentials
Allows you to list or delete WebAuthn credentials attached to specific users for security auditing.

### Perform Signed Transactions
Initializes and finalizes a passkey signature, guaranteeing that the transaction originated from an authenticated user.

### Validate System Sessions
Retrieves JSON Web Key Sets (JWKS) or validates existing session tokens to confirm access rights.

## Use Cases

### Onboarding a New Enterprise Client
A product manager needs to onboard 50 new users. Instead of manually calling the user creation endpoint repeatedly, they ask their agent to run `admin_list_users` first (to check for conflicts), then loop through and call `passkey_registration_init` followed by `passkey_registration_finalize` for each one. This automates identity setup.

### Auditing a Suspicious Account
The security team suspects credential compromise. They use the agent to call `admin_get_user` to verify the user exists, and then immediately call `admin_list_user_credentials` to get a list of every associated WebAuthn device ID, allowing them to check for unauthorized keys.

### Processing a High-Value Payment
A customer wants to pay $500. The system doesn't trust the session token alone; it requires explicit proof of identity. The agent calls `passkey_transaction_init`, waits for confirmation, and then calls `passkey_transaction_finalize` to confirm the user signed off on the payment.

### Verifying API Token Integrity
An external service tries to access protected data using a session token. Instead of trusting the header, the agent uses `public_validate_session` and fetches keys via `public_get_jwks`. This confirms that the token is current and valid against your public key set.

## Benefits

- You eliminate the need for complex, custom key management code. Simply calling `passkey_login_init` gets you all the options needed to start a secure login flow immediately.
- Security audits become simple. Instead of manually checking databases, your agent can run `admin_list_user_credentials` or `passkey_list_credentials` to verify exactly what credentials are attached to an account.
- Handling financial operations is safer. By using the transaction tools—first calling `passkey_transaction_init`, then `passkey_transaction_finalize`—you guarantee the signer actually owns the associated passkey for that user.
- Onboarding flows accelerate because you don't have to manually stitch together multiple APIs. You can run a sequence of calls, like initiating and then finalizing registration, all through your agent.
- Session handling is streamlined too. Use `public_validate_session` or fetch the keys with `public_get_jwks` to confirm token integrity without guesswork.

## How It Works

The bottom line is you get reliable, structured access to complex authentication steps without writing the underlying protocol logic yourself.

1. Subscribe to this MCP and supply your Hanko Tenant ID and API key.
2. Your agent calls an initialization tool, like `passkey_login_init`, which returns the necessary public key options for your client.
3. Use those returned options in your frontend code; once the user confirms their passkey, call a finalization tool (e.g., `passkey_login_finalize`) to complete the process.

## Frequently Asked Questions

**How do I start a passkey login using the passkey_login_init tool?**
You call `passkey_login_init` first; it returns the public key options necessary for your client to begin the WebAuthn process. You then use those options in your frontend, and finally call `passkey_login_finalize` upon success.

**Can I check if a user's session token is valid with Hanko (Passkey Auth) MCP?**
Yes, you run `public_validate_session`. This tool checks the validity of a provided session token against your configured keys, giving you immediate confirmation that access rights are active.

**How do I delete a user's passkey using the passkey_delete_credential tool?**
You use `passkey_delete_credential` and provide the specific credential ID. This ensures the key is removed from the system, preventing unauthorized access through that device.

**Which tool should I use to create a new user in Hanko?**
Use `admin_create_user`. After creating them with this tool, you must follow up by using the passkey tools to set up their initial credential registration.

**How do I audit all WebAuthn credentials for a user using the admin_list_user_credentials tool?**
It generates a complete list of every credential associated with that specific user ID. You can use this to quickly audit or verify which passkeys are currently active on an account before making changes.

**What sequence must I follow to process a signed payment using the passkey_transaction_init and passkey_transaction_finalize tools?**
You start by calling `passkey_transaction_init` to set up all required parameters for the transaction. Then, you use `passkey_transaction_finalize` to complete the signature-backed action.

**How do I initiate a new passkey registration flow using passkey_registration_init?**
This tool returns the necessary public key options required for client-side credential creation. Your AI agent uses these options to call `navigator.credentials.create()`, finishing the registration process on your frontend.

**When should I use the flow_execute tool for advanced identity management tasks?**
Use this when your authentication needs involve complex, multi-step business logic that doesn't fit standard flows. It lets you run pre-defined Hanko Flow actions directly through your agent.