> ## Documentation Index > Fetch the complete documentation index at: https://docs.hanko.io/llms.txt > Use this file to discover all available pages before exploring further. # Login > Initialize or advance a login flow. ## OpenAPI ````yaml post /login openapi: 3.0.3 info: title: Flow API description: Flow API version: 1.2.0 servers: - url: https://{tenant_id}.hanko.io variables: tenant_id: default: '' description: The (UU)ID of a tenant. Replace the default value with your tenant ID. security: [] paths: /login: post: tags: - flow summary: Login description: Initialize or advance a login flow. parameters: - $ref: '#/components/parameters/ActionParam' - $ref: '#/components/parameters/LanguageParam' requestBody: $ref: '#/components/requestBodies/LoginRequestBody' responses: '200': $ref: '#/components/responses/LoginFlowResponse' '400': $ref: '#/components/responses/LoginFlowResponseBadRequestError' '401': $ref: '#/components/responses/FlowResponseUnauthorizedError' '403': $ref: '#/components/responses/FlowResponseForbiddenError' '410': $ref: '#/components/responses/FlowResponseGoneError' '429': $ref: '#/components/responses/FlowResponseTooManyRequestsError' '500': $ref: '#/components/responses/FlowResponseInternalServerError' components: parameters: ActionParam: in: query name: action description: > String of the format `{action_name}@{flow_id}`. Indicates the action to perform on the flow with the given `flow_id`. Omitting the query parameter initializes a new flow. _Note for playground usage_: You can derive the value for this query parameter from the `action`'s `href` property in a flow state response, e.g. for an `href` value of `/login?action=register_client_capabilities%4015655672-41ca-48cc-afb1-90be77075764` the (non-URL-encoded) value would be `register_client_capabilities@15655672-41ca-48cc-afb1-90be77075764`. schema: type: string example: register_client_capabilities@15655672-41ca-48cc-afb1-90be77075764 LanguageParam: in: header name: X-Language schema: type: string enum: - bn - de - en - fr - it - nl - pt-BR - zh description: > Used to internationalize outgoing emails (e.g. for email verification, recovery, etc.). If email delivery by Hanko is enabled the values for supported languages are: - "bn" (Bengali/Bangla) - "de" (German) - "en" (English) - "fr" (French) - "it" (Italian) - "nl" (Dutch) - "pt-BR" (Brazilian Portuguese), - "zh" (Chinese) If email delivery by Hanko is disabled and a webhook has been configured for the `email.send` event, the JWT payload of the `token` contained in the response to the webhook endpoint contains a `language` claim that reflects the value originally passed as the header value. requestBodies: LoginRequestBody: description: LoginRequestBody content: application/json: schema: title: Login request body type: object properties: input_data: oneOf: - $ref: '#/components/schemas/InputDataRegisterClientCapabilities' - $ref: '#/components/schemas/InputDataContinueWithLoginIdentifier' - $ref: '#/components/schemas/InputDataRememberMe' - $ref: '#/components/schemas/InputDataEmailAddressSet' - $ref: '#/components/schemas/InputDataVerifyPasscode' - $ref: '#/components/schemas/InputDataPasswordLogin' - $ref: '#/components/schemas/InputDataRegisterPassword' - $ref: '#/components/schemas/InputDataPasswordRecovery' - $ref: '#/components/schemas/InputDataOTPCodeVerify' - $ref: '#/components/schemas/InputDataOTPCodeValidate' - $ref: '#/components/schemas/InputDataThirdPartyOauth' - $ref: '#/components/schemas/InputDataExchangeToken' - $ref: >- #/components/schemas/InputDataWebauthnVerifyAttestationResponse - $ref: >- #/components/schemas/InputDataWebauthnVerifyAssertionResponse csrf_token: $ref: '#/components/schemas/CSRFToken' additionalProperties: false responses: LoginFlowResponse: description: LoginFlowResponse headers: X-Auth-Token: description: > Used for cross-domain communication between client and Hanko API. Only present if configured on the tenant and on the `success` state of the flow. schema: $ref: '#/components/schemas/X-Auth-Token' X-Session-Lifetime: description: | Contains the seconds until the session expires. Only present on the `success` state of the flow. schema: $ref: '#/components/schemas/X-Session-Lifetime' X-Session-Retention: description: > Serves as a hint at what type of cookie (session or persistent) should be created. Only present on the `success` state of the flow. schema: $ref: '#/components/schemas/X-Session-Retention' Set-Cookie: schema: anyOf: - $ref: '#/components/schemas/CookieSession' - $ref: '#/components/schemas/CookieDeviceToken' examples: session: value: hanko=; Path=/; HttpOnly device_token: value: >- hanko-device-token=dl4yEFrW8XYU2GQ6IN3gJeqTiVhDKsfK_GYh-_HsAk4ZBdG1M6iA6QXQDJGSJNruS41_-bHTnlDjx8GyJ_WKA==,Path=/; HttpOnly, Secure content: application/json: schema: $ref: '#/components/schemas/StatesLogin' LoginFlowResponseBadRequestError: description: LoginFlowResponseBadRequestError content: application/json: schema: allOf: - oneOf: - $ref: '#/components/schemas/StateLoginInit' - $ref: '#/components/schemas/StateLoginPasskey' - $ref: '#/components/schemas/StateLoginPassword' - $ref: '#/components/schemas/StatePasscodeConfirmation' - $ref: '#/components/schemas/StatePasswordCreation' - $ref: '#/components/schemas/StateOnboardingEmail' - $ref: '#/components/schemas/StateOnboardingCreatePasskey' - $ref: >- #/components/schemas/StateOnboardingVerifyPasskeyAttestation - $ref: '#/components/schemas/StateOnboardingUsername' - $ref: '#/components/schemas/StateThirdParty' - type: object properties: status: enum: - 400 error: $ref: '#/components/schemas/Error' FlowResponseUnauthorizedError: description: FlowResponseUnauthorizedError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 401 error: allOf: - $ref: '#/components/schemas/Error' - example: code: passcode_max_attempts_reached message: The passcode was entered wrong too many times. FlowResponseForbiddenError: description: FlowResponseForbiddenError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 403 error: allOf: - $ref: '#/components/schemas/Error' - example: code: operation_not_permitted_error message: The flow is not permitted. FlowResponseGoneError: description: FlowResponseGoneError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 410 error: allOf: - $ref: '#/components/schemas/Error' - example: code: flow_expired_error message: The flow has expired. FlowResponseTooManyRequestsError: description: FlowResponseTooManyRequestsError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 429 payload: $ref: '#/components/schemas/PayloadResendAfter' error: allOf: - $ref: '#/components/schemas/Error' - example: code: rate_limit_exceeded message: The rate limit has been exceeded. FlowResponseInternalServerError: description: FlowResponseInternalServerError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 500 error: allOf: - $ref: '#/components/schemas/Error' - example: code: technical_error message: Something went wrong. schemas: InputDataRegisterClientCapabilities: title: RegisterClientCapabilities description: Input data for the `register_client_capabilities` action. type: object properties: webauthn_available: type: boolean default: false webauthn_conditional_mediation_available: type: boolean default: false webauthn_platform_authenticator_available: type: boolean default: false required: - webauthn_available additionalProperties: false InputDataContinueWithLoginIdentifier: description: Input data for the `continue_with_login_identifier` action. oneOf: - type: object title: ContinueWithLoginIdentifier properties: identifier: description: Present only if emails and usernames are enabled. type: string required: - identifier - type: object title: ContinueWithLoginIdentifierEmail properties: email: type: string format: email required: - email - type: object title: ContinueWithLoginIdentifierUsername properties: username: type: string required: - username minProperties: 1 InputDataRememberMe: description: Input data for the `remember_me` action. title: RememberMe type: object properties: remember_me: type: boolean required: - remember_me additionalProperties: false InputDataEmailAddressSet: title: EmailAddressSet description: Input data for the `email_address_set` action. type: object properties: email: type: string format: email required: - email additionalProperties: false InputDataVerifyPasscode: title: VerifyPasscode description: Input data for the `verify_passcode` action. type: object properties: code: type: string minLength: 6 maxLength: 6 required: - code additionalProperties: false InputDataPasswordLogin: title: PasswordLogin description: Input data for the `password_login` action. type: object properties: password: type: string required: - password additionalProperties: false InputDataRegisterPassword: description: Input data for the `register_password` action. title: RegisterPassword type: object properties: new_password: type: string required: - new_password additionalProperties: false InputDataPasswordRecovery: title: PasswordRecovery description: Input data for the `password_recovery` action. type: object properties: new_password: type: string required: - new_password additionalProperties: false InputDataOTPCodeVerify: title: OTPCodeVerify description: Input data for the `otp_code_verify` action. type: object properties: otp_code: description: '' type: string minLength: 6 maxLength: 6 required: - otp_code additionalProperties: false InputDataOTPCodeValidate: allOf: - $ref: '#/components/schemas/InputDataOTPCodeVerify' - title: OTPCodeValidate - description: Input data for the `otp_code_validate` action. InputDataThirdPartyOauth: title: ThirdPartyOauth description: Input data for the `thirdparty_oauth` action. type: object properties: provider: $ref: '#/components/schemas/InputProviderAllowedValue' redirect_to: type: string format: uri code_verifier: type: string required: - provider - redirect_to additionalProperties: false InputDataExchangeToken: title: ExchangeToken description: Input data for the `exchange_token` action. type: object properties: token: type: string required: - token additionalProperties: false InputDataWebauthnVerifyAttestationResponse: title: WebauthnVerifyAttestationResponse description: Input data for the `webauthn_verify_attestation_response` action. type: object properties: public_key: description: > The [AuthenticatorAttestationResponse](https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse) from the WebAuthn API. type: object required: - public_key additionalProperties: false InputDataWebauthnVerifyAssertionResponse: title: WebauthnVerifyAssertionResponse description: Input data for the `webauthn_verify_assertion_response` action. type: object properties: assertion_response: description: > The [AuthenticatorAssertionResponse](https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAssertionResponse) from the WebAuthn API. type: object required: - assertion_response additionalProperties: false CSRFToken: description: > Not required on flow initialization, i.e. on requests without an `action` query parameter. Required on all other requests performing an action, i.e. on requests that use an `action` query parameter. Should be the `csrf_token` value from the most recent flow state response. type: string example: qvcZt29spXYO77Y9IaxxN4MzLnmbjozl X-Auth-Token: type: string format: JWT X-Session-Lifetime: type: number X-Session-Retention: type: string enum: - session - persistent CookieSession: description: > Value `` is a [JSON Web Token](https://www.rfc-editor.org/rfc/rfc7519.html) Only present on the `success` state of the flow. type: string example: hanko=; Path=/; HttpOnly CookieDeviceToken: description: > Issued on a login flow's success if the `trust_device` action was executed during the flow. Used during subsequent login flows to check if MFA (if it is enabled and the user has registered an MFA credential) can be skipped. Only present on the `success` state of the flow. type: string example: > hanko-device-token=dl4yEFrW8XYU2GQ6IN3gJeqTiVhDKsfK_GYh-_HsAk4ZBdG1M6iA6QXQDJGSJNruS41_-bHTnlDjx8GyJ_WKA==,Path=/; HttpOnly, Secure StatesLogin: oneOf: - $ref: '#/components/schemas/StatePreflight' - $ref: '#/components/schemas/StateLoginInit' - $ref: '#/components/schemas/StateLoginPasskey' - $ref: '#/components/schemas/StateLoginPassword' - $ref: '#/components/schemas/StateLoginPasswordRecovery' - $ref: '#/components/schemas/StateLoginMethodChooser' - $ref: '#/components/schemas/StateLoginOTP' - $ref: '#/components/schemas/StateLoginSecurityKey' - $ref: '#/components/schemas/StateMFAMethodChooser' - $ref: '#/components/schemas/StateMFAOTPSecretCreation' - $ref: '#/components/schemas/StateMFASecurityKeyCreation' - $ref: '#/components/schemas/StatePasscodeConfirmation' - $ref: '#/components/schemas/StatePasswordCreation' - $ref: '#/components/schemas/StateOnboardingEmail' - $ref: '#/components/schemas/StateOnboardingUsername' - $ref: '#/components/schemas/StateCredentialOnboardingChooser' - $ref: '#/components/schemas/StateOnboardingCreatePasskey' - $ref: '#/components/schemas/StateOnboardingVerifyPasskeyAttestation' - $ref: '#/components/schemas/StateDeviceTrust' - $ref: '#/components/schemas/StateThirdParty' - $ref: '#/components/schemas/StateSuccessLogin' discriminator: propertyName: name mapping: preflight: $ref: '#/components/schemas/StatePreflight' login_init: $ref: '#/components/schemas/StateLoginInit' login_method_chooser: $ref: '#/components/schemas/StateLoginMethodChooser' login_otp: $ref: '#/components/schemas/StateLoginOTP' login_passkey: $ref: '#/components/schemas/StateLoginPasskey' login_password: $ref: '#/components/schemas/StateLoginPassword' login_password_recovery: $ref: '#/components/schemas/StateLoginPasswordRecovery' login_security_key: $ref: '#/components/schemas/StateLoginSecurityKey' passcode_confirmation: $ref: '#/components/schemas/StatePasscodeConfirmation' password_creation: $ref: '#/components/schemas/StatePasswordCreation' mfa_method_chooser: $ref: '#/components/schemas/StateMFAMethodChooser' mfa_otp_secret_creation: $ref: '#/components/schemas/StateMFAOTPSecretCreation' mfa_security_key_creation: $ref: '#/components/schemas/StateMFASecurityKeyCreation' onboarding_email: $ref: '#/components/schemas/StateOnboardingEmail' onboarding_username: $ref: '#/components/schemas/StateOnboardingUsername' credential_onboarding_chooser: $ref: '#/components/schemas/StateCredentialOnboardingChooser' onboarding_create_passkey: $ref: '#/components/schemas/StateOnboardingCreatePasskey' onboarding_verify_passkey_attestation: $ref: '#/components/schemas/StateOnboardingVerifyPasskeyAttestation' device_trust: $ref: '#/components/schemas/StateDeviceTrust' thirdparty: $ref: '#/components/schemas/StateThirdParty' success: $ref: '#/components/schemas/StateSuccessLogin' StateLoginInit: title: LoginInit allOf: - $ref: '#/components/schemas/StateBase' - type: object properties: actions: $ref: '#/components/schemas/ActionsLoginInit' name: type: string enum: - login_init payload: $ref: '#/components/schemas/PayloadRequestOptions' status: type: integer enum: - 200 StateLoginPasskey: title: LoginPasskey type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginPasskey' name: type: string enum: - login_passkey payload: $ref: '#/components/schemas/PayloadRequestOptions' status: type: integer enum: - 200 StateLoginPassword: title: LoginPassword type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginPassword' name: type: string enum: - login_password status: type: integer enum: - 200 StatePasscodeConfirmation: title: PasscodeConfirmation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsPasscodeConfirmation' name: type: string enum: - passcode_confirmation status: type: integer enum: - 200 StatePasswordCreation: title: PasswordCreation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsPasswordCreation' name: type: string enum: - password_creation status: type: integer enum: - 200 StateOnboardingEmail: title: OnboardingEmail type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsOnboardingEmail' name: type: string enum: - onboarding_email payload: type: object status: type: integer enum: - 200 StateOnboardingCreatePasskey: title: OnboardingCreatePasskey type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsOnboardingCreatePasskey' name: type: string enum: - onboarding_create_passkey payload: type: object status: type: integer enum: - 200 StateOnboardingVerifyPasskeyAttestation: title: OnboardingVerifyPasskeyAttestation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsOnboardingVerifyPasskeyAttestation' name: type: string enum: - onboarding_verify_passkey_attestation payload: $ref: '#/components/schemas/PayloadCreationOptions' status: type: integer enum: - 200 StateOnboardingUsername: title: OnboardingUsername type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsOnboardingUsername' name: type: string enum: - onboarding_username payload: type: object status: type: integer enum: - 200 StateThirdParty: title: ThirdParty type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsThirdParty' name: type: string enum: - thirdparty payload: $ref: '#/components/schemas/PayloadThirdParty' status: type: integer enum: - 200 Error: type: object properties: code: type: string message: type: string cause: type: string StateError: title: Error type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: name: type: string enum: - error payload: type: object status: type: integer PayloadResendAfter: description: Returned with a flow response when the request rate limit was exceeded. type: object properties: resend_after: description: > Indicates the amount of seconds required to pass in order to be able to send another request. type: integer example: 60 InputProviderAllowedValue: type: string enum: - apple - discord - facebook - github - google - linkedin - microsoft StatePreflight: title: Preflight type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsPreflight' name: type: string enum: - preflight status: type: integer enum: - 200 StateLoginPasswordRecovery: title: LoginPasswordRecovery type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginPasswordRecovery' name: type: string enum: - login_password_recovery status: type: integer enum: - 200 StateLoginMethodChooser: title: LoginMethodChooser type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginMethodChooser' name: type: string enum: - login_method_chooser status: type: integer enum: - 200 StateLoginOTP: title: LoginOTP type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginOTP' name: type: string enum: - login_otp status: type: integer enum: - 200 StateLoginSecurityKey: title: LoginSecurityKey type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsLoginSecurityKey' name: type: string enum: - login_security_key status: type: integer enum: - 200 StateMFAMethodChooser: title: MFAMethodChooser type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsMFAMethodChooser' name: type: string enum: - mfa_method_chooser status: type: integer enum: - 200 StateMFAOTPSecretCreation: title: MFAOTPSecretCreation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsMFAOTPSecretCreation' name: type: string enum: - mfa_otp_secret_creation payload: type: object properties: otp_image_source: description: > Contains a QR code to scan with an authenticator app as a string in ["data" URL](https://datatracker.ietf.org/doc/html/rfc2397) format. Can be directly used as the value for the `src` attribute in an HTML `img` element. type: string otp_secret: description: > Shared secret that can be provided to authenticator apps if scanning a QR code is not available. type: string status: type: integer enum: - 200 StateMFASecurityKeyCreation: title: MFASecurityKeyCreation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsMFASecurityKeyCreation' name: type: string enum: - mfa_security_key_creation status: type: integer enum: - 200 StateCredentialOnboardingChooser: title: CredentialOnboardingChooser type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsCredentialOnboardingChooser' name: type: string enum: - credential_onboarding_chooser payload: type: object status: type: integer enum: - 200 StateDeviceTrust: title: DeviceTrust allOf: - $ref: '#/components/schemas/StateBase' - type: object properties: actions: $ref: '#/components/schemas/ActionsDeviceTrust' name: type: string enum: - device_trust StateSuccessLogin: title: Success type: object allOf: - $ref: '#/components/schemas/StateSuccess' - type: object properties: payload: allOf: - $ref: '#/components/schemas/PayloadProfileData' - type: object properties: last_login: $ref: '#/components/schemas/LastLogin' claims: $ref: '#/components/schemas/Claims' StateBase: type: object properties: actions: description: > List of actions that can be performed in the current flow state in order to advance the flow to the next state. Depending on user details (e.g. presence or absence of credentials) or the tenant's configuration some actions may or may not be present in the response. type: object name: description: The name of the flow state. type: string payload: description: > Additional data that can be used by the client (e.g. `user` or `sessions` data provided in the profile flow) or should/must be used as intermediary data in an out of band process to produce input data for advancing the flow (e.g. the WebAuthn credential request/creation options that must be passed to the Webauthn API to produce an assertion/attestation). type: object status: description: The HTTP response status code for this flow response. type: integer csrf_token: description: Token to prevent Cross-Site Request Forgeries. type: string example: HvUwWSfPgz7VnwiS8VMDpnhZ1wNwTNiV links: type: array items: $ref: '#/components/schemas/Link' nullable: true example: [] ActionsLoginInit: type: object properties: continue_with_login_identifier: $ref: '#/components/schemas/ActionContinueWithLoginIdentifier' webauthn_generate_request_options: $ref: '#/components/schemas/ActionWebauthnGenerateRequestOptions' webauthn_verify_assertion_response: $ref: '#/components/schemas/ActionWebauthnVerifyAssertionResponse' thirdparty_oauth: $ref: '#/components/schemas/ActionThirdPartyOauth' remember_me: $ref: '#/components/schemas/ActionRememberMe' PayloadRequestOptions: type: object properties: request_options: $ref: '#/components/schemas/CredentialRequestOptions' required: - request_options ActionsLoginPasskey: type: object properties: webauthn_verify_assertion_response: $ref: '#/components/schemas/ActionWebauthnVerifyAssertionResponse' back: $ref: '#/components/schemas/ActionBack' ActionsLoginPassword: type: object properties: password_login: $ref: '#/components/schemas/ActionPasswordLogin' continue_to_passcode_confirmation_recovery: $ref: '#/components/schemas/ActionContinueToPasscodeConfirmationRecovery' back: $ref: '#/components/schemas/ActionBack' ActionsPasscodeConfirmation: type: object properties: verify_passcode: $ref: '#/components/schemas/ActionVerifyPasscode' resend_passcode: $ref: '#/components/schemas/ActionResendPasscode' back: $ref: '#/components/schemas/ActionBack' ActionsPasswordCreation: type: object properties: register_password: $ref: '#/components/schemas/ActionRegisterPassword' skip: $ref: '#/components/schemas/ActionSkip' back: $ref: '#/components/schemas/ActionBack' ActionsOnboardingEmail: type: object properties: email_address_set: $ref: '#/components/schemas/ActionEmailAddressSet' skip: $ref: '#/components/schemas/ActionSkip' ActionsOnboardingCreatePasskey: type: object properties: webauthn_generate_creation_options: $ref: '#/components/schemas/ActionWebauthnGenerateCreationOptions' skip: $ref: '#/components/schemas/ActionSkip' back: $ref: '#/components/schemas/ActionBack' ActionsOnboardingVerifyPasskeyAttestation: type: object properties: webauthn_verify_attestation_response: type: object properties: action: enum: - webauthn_verify_attestation_response inputs: $ref: '#/components/schemas/InputsWebauthnVerifyAttestationResponse' back: $ref: '#/components/schemas/ActionBack' PayloadCreationOptions: type: object properties: creation_options: $ref: '#/components/schemas/CredentialCreationOptions' required: - creation_options ActionsOnboardingUsername: type: object properties: username_set: type: object properties: action: enum: - username_set inputs: $ref: '#/components/schemas/InputsUsernameSet' skip: $ref: '#/components/schemas/ActionSkip' ActionsThirdParty: type: object properties: exchange_token: $ref: '#/components/schemas/ActionExchangeToken' back: $ref: '#/components/schemas/ActionBack' PayloadThirdParty: type: object properties: redirect_url: type: string format: uri required: - redirect_url ActionsPreflight: type: object properties: register_client_capabilities: $ref: '#/components/schemas/ActionRegisterClientCapabilities' ActionsLoginPasswordRecovery: type: object properties: password_recovery: $ref: '#/components/schemas/ActionPasswordRecovery' ActionsLoginMethodChooser: type: object properties: continue_to_password_login: $ref: '#/components/schemas/ActionContinueToPasswordLogin' continue_to_passcode_confirmation: $ref: '#/components/schemas/ActionContinueToPasscodeConfirmation' ActionsLoginOTP: type: object properties: otp_code_validate: $ref: '#/components/schemas/ActionOTPCodeValidate' continue_to_login_security_key: $ref: '#/components/schemas/ActionContinueToLoginSecurityKey' ActionsLoginSecurityKey: type: object properties: webauthn_generate_request_options: $ref: '#/components/schemas/ActionWebauthnGenerateRequestOptions' continue_to_login_otp: $ref: '#/components/schemas/ActionContinueToLoginOTP' ActionsMFAMethodChooser: type: object properties: back: $ref: '#/components/schemas/ActionBack' continue_to_otp_secret_creation: $ref: '#/components/schemas/ActionContinueToOTPSecretCreation' continue_to_security_key_creation: $ref: '#/components/schemas/ActionContinueToSecurityKeyCreation' skip: $ref: '#/components/schemas/ActionSkip' ActionsMFAOTPSecretCreation: type: object properties: otp_code_verify: $ref: '#/components/schemas/ActionOTPCodeVerify' back: $ref: '#/components/schemas/ActionBack' ActionsMFASecurityKeyCreation: type: object properties: webauthn_generate_creation_options: $ref: '#/components/schemas/ActionWebauthnGenerateCreationOptions' back: $ref: '#/components/schemas/ActionBack' ActionsCredentialOnboardingChooser: type: object properties: continue_to_passkey_registration: $ref: '#/components/schemas/ActionContinueToPasskeyRegistration' continue_to_password_registration: $ref: '#/components/schemas/ActionContinueToPasswordRegistration' skip: $ref: '#/components/schemas/ActionSkip' back: $ref: '#/components/schemas/ActionBack' ActionsDeviceTrust: type: object properties: trust_device: $ref: '#/components/schemas/ActionTrustDevice' skip: $ref: '#/components/schemas/ActionSkip' back: $ref: '#/components/schemas/ActionBack' StateSuccess: title: Success type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: name: type: string enum: - success payload: $ref: '#/components/schemas/PayloadProfileData' status: type: integer enum: - 200 PayloadProfileData: type: object properties: user: $ref: '#/components/schemas/ProfileDataUser' LastLogin: description: Contains data about the last login and MFA methods used by the user. type: object properties: login_method: description: The login method used. type: string enum: - password - passkey - passcode - third_party mfa_method: description: The MFA method used. type: string enum: - totp - security_key third_party_provider: description: >- Contains the name of the third party provider used if `login_method` is `third_party`. type: string Claims: description: >- Contains the claims of a user as they appear in the payload of session JWTs. type: object properties: amr: description: >- Authentication Method References, JSON array of strings that are identifiers for authentication methods used in the authentication. type: array items: type: string enum: - pwd - passkey - otp - ext: - totp - security_key description: > - `pwd` => password - `passkey` => passkey - `otp` => email passcode - `ext:` => thirdparty provider, where is the internal provider ID, e.g. `ext:microsoft` - `totp` => 2FA authenticator app - `security_key` => 2FA security key subject: type: string format: uuid4 issued_at: type: string format: date-time audience: type: array items: type: string issuer: type: string email: type: object properties: address: type: string is_verified: type: boolean is_primary: type: boolean additionalProperties: description: >- Any additional claims defined through templates for customizing the session JWT Link: type: object properties: name: description: The name of the link. type: string href: description: The destination of the link. type: string format: uri category: description: The category of the link. type: string target: description: The target of the link. type: string enum: - _self - _blank - _parent - _top ActionContinueWithLoginIdentifier: description: Provide a login identifier (email or username). allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_with_login_identifier inputs: $ref: '#/components/schemas/InputsContinueWithLoginIdentifier' ActionWebauthnGenerateRequestOptions: description: Generate passkey request options for authenticating with a passkey. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_generate_request_options ActionWebauthnVerifyAssertionResponse: description: Verify an assertion response to complete a passkey authentication. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_verify_assertion_response inputs: $ref: '#/components/schemas/InputsWebauthnVerifyAssertionResponse' ActionThirdPartyOauth: description: > Initialize a third party sign-up/sign-in by specifying the `provider` (it must be enabled and configured at the tenant) to use and the URL to redirect to (`redirect_to`) after successful authentication with the provider. A `redirect_url` to the selected provider is placed in the `payload` of the next state (`thirdparty`). allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - thirdparty_oauth inputs: $ref: '#/components/schemas/InputsThirdPartyOauth' ActionRememberMe: description: > This action determines whether a session cookie or a persistent cookie is issued on flow success. - If the `remember_me` input is set to `true`, the flow response on flow success contains a `Set-Cookie` header with a persistent cookie and an `X-Session-Retention` header with a `persistent` value. - If the `remember_me` input is set to `false`, the flow response on flow success contains a `Set-Cookie` header with a session cookie and an `X-Session-Retention` header with a `session` value. The action is only present if the tenant's cookie retention type is set to 'prompt'. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - remember_me inputs: $ref: '#/components/schemas/InputsRememberMe' CredentialRequestOptions: description: Options for assertion generation with the WebAuthn API externalDocs: url: https://www.w3.org/TR/webauthn-2/#dictionary-assertion-options type: object properties: publicKey: type: object properties: challenge: type: string format: base64url example: qgOI+0KpGnl9NOqaT6dfsYvi96R87LgpErnvePeOgSU= timeout: type: number format: int64 example: 60000 rpId: type: string example: localhost allowCredentials: type: array items: type: object properties: type: type: string enum: - public-key example: public-key id: type: string format: base64url example: Mepptysj5ZZrTlg0qiLbsZ068OtQMeGVAikVy2n1hvvG... userVerification: type: string enum: - required - preferred - discouraged example: required ActionBack: description: Go back to the previous state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - back ActionPasswordLogin: description: Authenticate with a password. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - password_login inputs: $ref: '#/components/schemas/InputsPasswordLogin' ActionContinueToPasscodeConfirmationRecovery: description: Continue to the `passcode_confirmation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_passcode_confirmation_recovery ActionVerifyPasscode: description: Verify a passcode. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - verify_passcode inputs: $ref: '#/components/schemas/InputsVerifyPasscode' ActionResendPasscode: description: Resend a passcode. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - resend_passcode ActionRegisterPassword: description: Register a password. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - register_password inputs: $ref: '#/components/schemas/InputsRegisterPassword' ActionSkip: description: Skip to the next state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - skip ActionEmailAddressSet: description: Set an email address. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - email_address_set inputs: $ref: '#/components/schemas/InputsEmailAddressSet' ActionWebauthnGenerateCreationOptions: description: Generate passkey creation options for registering a passkey. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_generate_creation_options InputsWebauthnVerifyAttestationResponse: type: object properties: public_key: $ref: '#/components/schemas/InputPublicKey' required: - public_key CredentialCreationOptions: description: Options for credential creation with the WebAuthn API externalDocs: url: https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions type: object properties: publicKey: type: object properties: rp: type: object properties: name: type: string example: Hanko Authentication Service id: type: string example: localhost user: type: object properties: id: type: string example: pPQT9rwJRD7gVncsnCDNyN name: type: string example: user@example.com displayName: type: string example: user@example.com challenge: type: string format: base64url example: 7qmkJUXR0dOFnsW48evX3qKdCzlGjvvqAAvMDN+KTN0= pubKeyCredParams: type: array items: type: object properties: type: type: string enum: - public-key alg: type: number example: - type: public-key alg: -7 timeout: type: number format: int64 example: 60000 authenticatorSelection: type: object properties: authenticatorAttachment: type: string enum: - platform - cross-platform example: platform requireResidentKey: type: boolean example: true residentKey: type: string enum: - discouraged - preferred - required example: preferred userVerification: type: string enum: - discouraged - preferred - required example: required attestation: type: string enum: - none - indirect - direct - enterprise example: none InputsUsernameSet: type: object properties: username: $ref: '#/components/schemas/InputUsername' required: - username ActionExchangeToken: description: >- Exchange a one time token after a third party authentication for a session token. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - exchange_token inputs: $ref: '#/components/schemas/InputsExchangeToken' ActionRegisterClientCapabilities: description: >- Provide information about whether the client is capable of using passkeys (a.k.a. the Webauthn API). allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - register_client_capabilities inputs: $ref: '#/components/schemas/InputsRegisterClientCapabilities' ActionPasswordRecovery: description: Set up a new password as part of a recovery process. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - password_recovery inputs: $ref: '#/components/schemas/InputsPasswordRecovery' ActionContinueToPasswordLogin: description: Continue to the `login_password` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_password_login ActionContinueToPasscodeConfirmation: description: Continue to the `passcode_confirmation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_passcode_confirmation ActionOTPCodeValidate: description: Validate an OTP code for use as a second factor. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - otp_code_validate inputs: $ref: '#/components/schemas/InputsOTPCodeVerify' ActionContinueToLoginSecurityKey: description: Continue to the `login_security_key` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_login_security_key ActionContinueToLoginOTP: description: Continue to the `login_otp` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_login_otp ActionContinueToOTPSecretCreation: description: Continue to the `mfa_otp_secret_creation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_otp_secret_creation ActionContinueToSecurityKeyCreation: description: Continue to the `mfa_security_key_creation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_security_key_creation ActionOTPCodeVerify: description: Verify an OTP code to set up (T)OTP MFA. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - otp_code_verify inputs: $ref: '#/components/schemas/InputsOTPCodeVerify' ActionContinueToPasskeyRegistration: description: Continue to the `onboarding_create_passkey` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_passkey_registration ActionContinueToPasswordRegistration: description: Continue to the `password_creation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_password_registration ActionTrustDevice: description: > Execution of this action indicates that a user considers the device or browser used as trusted. As a result, MFA (if it is enabled and the user has registered an MFA credential) is skipped for subsequent logins. Trust persists until it explicitly expires and its expiry is not extended on subsequent logins. Users must provide MFA again after expiry. Generates a random device token that is returned to the client in a `Set-Cookie` header on flow success. The action is only present in the flow response if this Cookie is not set, i.e. if no trust has been granted or if the cookie has expired. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - trust_device ProfileDataUser: description: Data pertaining to the user associated with the current session. type: object properties: user_id: type: string format: uuid passkeys: type: array items: $ref: '#/components/schemas/WebauthnCredential' security_keys: type: array items: $ref: '#/components/schemas/WebauthnCredential' emails: type: array items: type: object properties: id: type: string format: uuid address: type: string format: email is_primary: type: boolean is_verified: type: boolean identity: deprecated: true description: Deprecated. See `identities` instead. type: object properties: id: type: string description: Contains the ID of the user at the provider. provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. identities: deprecated: true description: Deprecated. See top-level `identities` instead. type: array items: type: object properties: id: type: string description: ID of the user at the provider provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. identities: description: The user's third party connections/identities. type: array items: type: object properties: id: type: string description: The ID of the user at the provider identity_id: type: string description: The identity's ID format: uuid4 provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. metadata: type: object properties: public_metadata: type: object additionalProperties: {} unsafe_metadata: type: object additionalProperties: {} mfa_config: type: object properties: auth_app_set_up: type: boolean description: >- Indicates whether the user has set up an authenticator app for 2FA. totp_enabled: type: boolean description: > Indicates whether 2FA via authenticator app is enabled on this tenant. To check whether a user has set up an authenticator app for 2FA, see [`payload.user.mfa_config.app_auth_set_up`](#response-one-of-1-payload-user-mfa-config-app-auth-set-up). security_keys_enabled: type: boolean description: > Indicates whether 2FA via security keys is enabled on this tenant. To check whether a user has enrolled security keys for 2FA, see [`payload.user.security_keys`](#response-one-of-1-payload-user-security-keys). created_at: type: string format: date-time updated_at: type: string format: date-time name: type: string given_name: type: string family_name: type: string picture: type: string format: uri Action: description: Action type: object properties: action: description: The name of the action. type: string href: description: The action target as a URL relative to the API tenant base URL. type: string description: description: The description for the action. type: string inputs: description: > The inputs for the action. An input indicates that when making a request to perform an action, the `input_data` value of the request body must contain a key with the given `name` value of the respective input. The corresponding value for that key is specified by the remaining properties of the input. type: object InputsContinueWithLoginIdentifier: type: object properties: identifier: oneOf: - $ref: '#/components/schemas/InputIdentifier' - $ref: '#/components/schemas/InputEmail' - $ref: '#/components/schemas/InputUsername' discriminator: propertyName: name InputsWebauthnVerifyAssertionResponse: type: object properties: assertion_response: $ref: '#/components/schemas/InputAssertionResponse' required: - assertion_response InputsThirdPartyOauth: type: object properties: provider: $ref: '#/components/schemas/InputProvider' redirect_to: $ref: '#/components/schemas/InputRedirectTo' code_verifier: $ref: '#/components/schemas/InputCodeVerifier' required: - provider - redirect_to InputsRememberMe: type: object properties: remember_me: $ref: '#/components/schemas/InputRememberMe' InputsPasswordLogin: type: object properties: password: $ref: '#/components/schemas/InputPassword' required: - password InputsVerifyPasscode: type: object properties: code: $ref: '#/components/schemas/InputCode' required: - code InputsRegisterPassword: type: object properties: new_password: $ref: '#/components/schemas/InputNewPassword' InputsEmailAddressSet: type: object properties: email: $ref: '#/components/schemas/InputEmail' InputPublicKey: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - public-key type: enum: - json required: default: true hidden: default: true InputUsername: title: Username allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - username type: enum: - string min_length: type: number enum: - 3 max_length: type: number enum: - 40 required: default: false hidden: default: false InputsExchangeToken: type: object properties: token: $ref: '#/components/schemas/InputToken' InputsRegisterClientCapabilities: type: object properties: webauthn_available: $ref: '#/components/schemas/InputWebauthnAvailable' webauthn_conditional_mediation_available: $ref: '#/components/schemas/InputWebauthnConditionalMediationAvailable' webauthn_platform_authenticator_available: $ref: '#/components/schemas/InputWebauthnPlatformAuthenticatorAvailable' required: - webauthn_available InputsPasswordRecovery: type: object properties: new_password: $ref: '#/components/schemas/InputNewPassword' InputsOTPCodeVerify: type: object properties: otp_code: $ref: '#/components/schemas/InputOTPCode' required: - otp_code WebauthnCredential: type: object properties: aaguid: type: string format: uuid attestation_type: type: string enum: - none - packed - tpm - android-key - android-safetynet - fido-u2f - apple backup_eligible: type: boolean backup_state: type: boolean created_at: type: string format: date-time id: type: string format: uuid last_used_at: type: string format: date-time mfa_only: type: boolean public-key: type: string transports: type: array items: type: string enum: - ble - internal - nfc - usb InputIdentifier: title: Identifier allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - identifier type: enum: - string max_length: type: integer default: 255 required: default: true hidden: default: false InputEmail: title: Email allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - email type: type: string enum: - email max_length: default: 120 required: default: true hidden: default: false InputAssertionResponse: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - assertion_response type: enum: - json InputProvider: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - provider type: enum: - string value: type: string required: default: true hidden: default: true allowed_values: items: properties: name: description: A display name to use for the provider. value: $ref: '#/components/schemas/InputProviderAllowedValue' InputRedirectTo: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - redirect_to type: enum: - string required: default: true hidden: default: true InputCodeVerifier: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - code_verifier type: enum: - string required: default: false hidden: default: true InputRememberMe: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - remember_me type: enum: - boolean required: default: true InputPassword: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - password type: enum: - password min_length: default: 8 required: default: true hidden: default: false InputCode: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - code type: enum: - string min_length: default: 6 max_length: default: 6 required: default: true hidden: default: false InputNewPassword: allOf: - $ref: '#/components/schemas/InputPassword' - type: object properties: name: type: string enum: - new_password Input: type: object properties: name: type: string type: type: string required: type: boolean min_length: type: integer max_length: type: integer hidden: type: boolean value: type: string allowed_values: type: array items: type: object properties: name: type: string value: $ref: '#/components/schemas/AnyValue' InputToken: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - token type: enum: - string required: default: true hidden: default: true InputWebauthnAvailable: description: > Indicates whether the client the device is capable of creating and using passkeys/WebAuthn credentials. allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_available type: type: string enum: - boolean InputWebauthnConditionalMediationAvailable: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_conditional_mediation_available type: type: string enum: - boolean InputWebauthnPlatformAuthenticatorAvailable: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_platform_authenticator_available type: type: string enum: - boolean InputOTPCode: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - otp_code type: enum: - string required: default: true hidden: default: false AnyValue: description: Can be any value - string, number, boolean, array or object. ````