> ## Documentation Index > Fetch the complete documentation index at: https://docs.hanko.io/llms.txt > Use this file to discover all available pages before exploring further. # Profile > Initialize or advance a profile flow. ## OpenAPI ````yaml post /profile openapi: 3.0.3 info: title: Flow API description: Flow API version: 1.2.0 servers: - url: https://{tenant_id}.hanko.io variables: tenant_id: default: '' description: The (UU)ID of a tenant. Replace the default value with your tenant ID. security: [] paths: /profile: post: tags: - flow summary: Profile description: Initialize or advance a profile flow. parameters: - $ref: '#/components/parameters/ActionParam' - $ref: '#/components/parameters/LanguageParam' requestBody: $ref: '#/components/requestBodies/ProfileRequestBody' responses: '200': $ref: '#/components/responses/ProfileFlowResponse' '400': $ref: '#/components/responses/ProfileFlowResponseBadRequestError' '401': $ref: '#/components/responses/FlowResponseUnauthorizedError' '403': $ref: '#/components/responses/FlowResponseForbiddenError' '404': $ref: '#/components/responses/FlowResponseNotFoundError' '410': $ref: '#/components/responses/FlowResponseGoneError' '429': $ref: '#/components/responses/FlowResponseTooManyRequestsError' '500': $ref: '#/components/responses/FlowResponseInternalServerError' security: - CookieAuth: [] - BearerTokenAuth: [] components: parameters: ActionParam: in: query name: action description: > String of the format `{action_name}@{flow_id}`. Indicates the action to perform on the flow with the given `flow_id`. Omitting the query parameter initializes a new flow. _Note for playground usage_: You can derive the value for this query parameter from the `action`'s `href` property in a flow state response, e.g. for an `href` value of `/login?action=register_client_capabilities%4015655672-41ca-48cc-afb1-90be77075764` the (non-URL-encoded) value would be `register_client_capabilities@15655672-41ca-48cc-afb1-90be77075764`. schema: type: string example: register_client_capabilities@15655672-41ca-48cc-afb1-90be77075764 LanguageParam: in: header name: X-Language schema: type: string enum: - bn - de - en - fr - it - nl - pt-BR - zh description: > Used to internationalize outgoing emails (e.g. for email verification, recovery, etc.). If email delivery by Hanko is enabled the values for supported languages are: - "bn" (Bengali/Bangla) - "de" (German) - "en" (English) - "fr" (French) - "it" (Italian) - "nl" (Dutch) - "pt-BR" (Brazilian Portuguese), - "zh" (Chinese) If email delivery by Hanko is disabled and a webhook has been configured for the `email.send` event, the JWT payload of the `token` contained in the response to the webhook endpoint contains a `language` claim that reflects the value originally passed as the header value. requestBodies: ProfileRequestBody: description: ProfileRequestBody content: application/json: schema: title: Profile request body type: object properties: input_data: oneOf: - $ref: '#/components/schemas/InputDataRegisterClientCapabilities' - $ref: >- #/components/schemas/InputDataConnectThirdPartyOAuthProvider - $ref: >- #/components/schemas/InputDataDisconnectThirdPartyOAuthProvider - $ref: '#/components/schemas/InputDataEmailCreate' - $ref: '#/components/schemas/InputDataEmailDelete' - $ref: '#/components/schemas/InputDataEmailSetPrimary' - $ref: '#/components/schemas/InputDataEmailVerify' - $ref: '#/components/schemas/InputDataExchangeToken' - $ref: '#/components/schemas/InputDataPasswordCreate' - $ref: '#/components/schemas/InputDataPasswordUpdate' - $ref: '#/components/schemas/InputDataPatchMetadata' - $ref: '#/components/schemas/InputDataOTPCodeVerify' - $ref: '#/components/schemas/InputDataSecurityKeyDelete' - $ref: '#/components/schemas/InputDataSessionDelete' - $ref: '#/components/schemas/InputDataUsernameSet' - $ref: '#/components/schemas/InputDataVerifyPasscode' - $ref: '#/components/schemas/InputDataWebauthnCredentialRename' - $ref: >- #/components/schemas/InputDataWebauthnVerifyAttestationResponse csrf_token: $ref: '#/components/schemas/CSRFToken' additionalProperties: false responses: ProfileFlowResponse: description: ProfileFlowResponse content: application/json: schema: $ref: '#/components/schemas/StatesProfile' ProfileFlowResponseBadRequestError: description: ProfileFlowResponseBadRequestError content: application/json: schema: allOf: - oneOf: - $ref: '#/components/schemas/StateProfileInit' - $ref: '#/components/schemas/StatePasscodeConfirmation' - $ref: >- #/components/schemas/StateProfileWebauthnCredentialVerification - type: object properties: status: enum: - 400 error: $ref: '#/components/schemas/Error' FlowResponseUnauthorizedError: description: FlowResponseUnauthorizedError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 401 error: allOf: - $ref: '#/components/schemas/Error' - example: code: passcode_max_attempts_reached message: The passcode was entered wrong too many times. FlowResponseForbiddenError: description: FlowResponseForbiddenError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 403 error: allOf: - $ref: '#/components/schemas/Error' - example: code: operation_not_permitted_error message: The flow is not permitted. FlowResponseNotFoundError: description: FlowResponseNotFoundError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 404 error: allOf: - $ref: '#/components/schemas/Error' - example: code: not_found message: The requested resource was not found. FlowResponseGoneError: description: FlowResponseGoneError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 410 error: allOf: - $ref: '#/components/schemas/Error' - example: code: flow_expired_error message: The flow has expired. FlowResponseTooManyRequestsError: description: FlowResponseTooManyRequestsError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 429 payload: $ref: '#/components/schemas/PayloadResendAfter' error: allOf: - $ref: '#/components/schemas/Error' - example: code: rate_limit_exceeded message: The rate limit has been exceeded. FlowResponseInternalServerError: description: FlowResponseInternalServerError content: application/json: schema: allOf: - $ref: '#/components/schemas/StateError' - type: object properties: status: enum: - 500 error: allOf: - $ref: '#/components/schemas/Error' - example: code: technical_error message: Something went wrong. schemas: InputDataRegisterClientCapabilities: title: RegisterClientCapabilities description: Input data for the `register_client_capabilities` action. type: object properties: webauthn_available: type: boolean default: false webauthn_conditional_mediation_available: type: boolean default: false webauthn_platform_authenticator_available: type: boolean default: false required: - webauthn_available additionalProperties: false InputDataConnectThirdPartyOAuthProvider: title: ConnectThirdPartyOAuthProvider description: Input data for the `connect_thirdparty_oauth_provider` action. type: object properties: provider: type: string description: The third-party OAuth provider to connect. redirect_to: type: string description: URL to redirect to after authentication with the provider. code_verifier: type: string description: The code verifier for a PKCE OAuth flow. required: - provider - redirect_to additionalProperties: false InputDataDisconnectThirdPartyOAuthProvider: title: DisconnectThirdPartyOAuthProvider description: Input data for the `disconnect_thirdparty_oauth_provider` action. type: object properties: identity_id: type: string format: uuid4 description: The ID of the third party identity to remove. required: - identity_id additionalProperties: false InputDataEmailCreate: title: EmailCreate description: Input data for the `email_create` action. type: object properties: email: type: string format: email required: - emai additionalProperties: false InputDataEmailDelete: title: EmailDelete description: Input data for the `email_delete` action. type: object properties: email_id: type: string format: email required: - email_id additionalProperties: false InputDataEmailSetPrimary: title: EmailSetPrimary description: Input data for the `email_set_primary` action. type: object properties: email_id: type: string format: email required: - email_id additionalProperties: false InputDataEmailVerify: title: EmailVerify description: Input data for the `email_verify` action. type: object properties: email_id: type: string format: email required: - email_id additionalProperties: false InputDataExchangeToken: title: ExchangeToken description: Input data for the `exchange_token` action. type: object properties: token: type: string required: - token additionalProperties: false InputDataPasswordCreate: title: PasswordCreate description: Input data for the `password_create` action. type: object properties: password: type: string format: email required: - email_id additionalProperties: false InputDataPasswordUpdate: title: PasswordUpdate description: Input data for the `password_update` action. type: object properties: password: type: string format: email required: - email_id additionalProperties: false InputDataPatchMetadata: title: PatchMetadata description: Input data for the `patch_metadata` action. type: object properties: patch_metadata: type: object description: | Must be one of: - `null`: unsets the entire (unsafe) metadata - an empty object `{}`: indicates an empty patch object, results in a noop - a non-empty object: the current (unsafe) metadata is merged with this patch additionalProperties: true required: - patch_metadata additionalProperties: false InputDataOTPCodeVerify: title: OTPCodeVerify description: Input data for the `otp_code_verify` action. type: object properties: otp_code: description: '' type: string minLength: 6 maxLength: 6 required: - otp_code additionalProperties: false InputDataSecurityKeyDelete: title: SecurityKeyDelete description: Input data for the `security_key_delete` action. type: object properties: security_key_id: type: string required: - security_key_id additionalProperties: false InputDataSessionDelete: title: SessionDelete description: Input data for the `session_delete` action. type: object properties: session_id: description: > The ID of the session to revoke. If server-side sessions are enabled, session IDs can be obtained from session tokens (JWTs) through their `session_id` claim. type: string format: uuid4 required: - session_id additionalProperties: false InputDataUsernameSet: title: UsernameSet description: Input data for the `username_set` action. type: object properties: username: type: string required: - provider additionalProperties: false InputDataVerifyPasscode: title: VerifyPasscode description: Input data for the `verify_passcode` action. type: object properties: code: type: string minLength: 6 maxLength: 6 required: - code additionalProperties: false InputDataWebauthnCredentialRename: title: WebauthnCredentialRename description: Input data for the `webauthn_credential_rename` action. type: object properties: passkey_id: type: string passkey_name: type: string required: - passkey_id - passkey_name additionalProperties: false InputDataWebauthnVerifyAttestationResponse: title: WebauthnVerifyAttestationResponse description: Input data for the `webauthn_verify_attestation_response` action. type: object properties: public_key: description: > The [AuthenticatorAttestationResponse](https://developer.mozilla.org/en-US/docs/Web/API/AuthenticatorAttestationResponse) from the WebAuthn API. type: object required: - public_key additionalProperties: false CSRFToken: description: > Not required on flow initialization, i.e. on requests without an `action` query parameter. Required on all other requests performing an action, i.e. on requests that use an `action` query parameter. Should be the `csrf_token` value from the most recent flow state response. type: string example: qvcZt29spXYO77Y9IaxxN4MzLnmbjozl StatesProfile: oneOf: - $ref: '#/components/schemas/StatePreflight' - $ref: '#/components/schemas/StateProfileInit' - $ref: '#/components/schemas/StateProfileAccountDeleted' - $ref: '#/components/schemas/StatePasscodeConfirmation' - $ref: '#/components/schemas/StateProfileWebauthnCredentialVerification' - $ref: '#/components/schemas/StateMFAOTPSecretCreation' - $ref: '#/components/schemas/StateThirdParty' discriminator: propertyName: name mapping: preflight: $ref: '#/components/schemas/StatePreflight' profile_init: $ref: '#/components/schemas/StateProfileInit' account_deleted: $ref: '#/components/schemas/StateProfileAccountDeleted' passcode_confirmation: $ref: '#/components/schemas/StatePasscodeConfirmation' webauthn_credential_verification: $ref: '#/components/schemas/StateProfileWebauthnCredentialVerification' mfa_otp_secret_creation: $ref: '#/components/schemas/StateMFAOTPSecretCreation' thirdparty: $ref: '#/components/schemas/StateThirdParty' StateProfileInit: title: ProfileInit type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsProfileInit' name: type: string enum: - profile_init payload: allOf: - $ref: '#/components/schemas/PayloadProfileData' - type: object properties: sessions: $ref: '#/components/schemas/ProfileDataSessions' status: type: integer enum: - 200 StatePasscodeConfirmation: title: PasscodeConfirmation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsPasscodeConfirmation' name: type: string enum: - passcode_confirmation status: type: integer enum: - 200 StateProfileWebauthnCredentialVerification: title: ProfileWebauthnCredentialVerification type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsWebauthnVerifyAttestationResponse' name: type: string enum: - webauthn_credential_verification payload: $ref: '#/components/schemas/PayloadCreationOptions' status: type: integer enum: - 200 Error: type: object properties: code: type: string message: type: string cause: type: string StateError: title: Error type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: name: type: string enum: - error payload: type: object status: type: integer PayloadResendAfter: description: Returned with a flow response when the request rate limit was exceeded. type: object properties: resend_after: description: > Indicates the amount of seconds required to pass in order to be able to send another request. type: integer example: 60 StatePreflight: title: Preflight type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsPreflight' name: type: string enum: - preflight status: type: integer enum: - 200 StateProfileAccountDeleted: title: ProfileAccountDeleted type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: type: object name: type: string enum: - account_deleted status: type: integer enum: - 200 StateMFAOTPSecretCreation: title: MFAOTPSecretCreation type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsMFAOTPSecretCreation' name: type: string enum: - mfa_otp_secret_creation payload: type: object properties: otp_image_source: description: > Contains a QR code to scan with an authenticator app as a string in ["data" URL](https://datatracker.ietf.org/doc/html/rfc2397) format. Can be directly used as the value for the `src` attribute in an HTML `img` element. type: string otp_secret: description: > Shared secret that can be provided to authenticator apps if scanning a QR code is not available. type: string status: type: integer enum: - 200 StateThirdParty: title: ThirdParty type: object allOf: - $ref: '#/components/schemas/StateBase' - properties: actions: $ref: '#/components/schemas/ActionsThirdParty' name: type: string enum: - thirdparty payload: $ref: '#/components/schemas/PayloadThirdParty' status: type: integer enum: - 200 StateBase: type: object properties: actions: description: > List of actions that can be performed in the current flow state in order to advance the flow to the next state. Depending on user details (e.g. presence or absence of credentials) or the tenant's configuration some actions may or may not be present in the response. type: object name: description: The name of the flow state. type: string payload: description: > Additional data that can be used by the client (e.g. `user` or `sessions` data provided in the profile flow) or should/must be used as intermediary data in an out of band process to produce input data for advancing the flow (e.g. the WebAuthn credential request/creation options that must be passed to the Webauthn API to produce an assertion/attestation). type: object status: description: The HTTP response status code for this flow response. type: integer csrf_token: description: Token to prevent Cross-Site Request Forgeries. type: string example: HvUwWSfPgz7VnwiS8VMDpnhZ1wNwTNiV links: type: array items: $ref: '#/components/schemas/Link' nullable: true example: [] ActionsProfileInit: type: object properties: account_delete: $ref: '#/components/schemas/ActionAccountDelete' connect_thirdparty_oauth_provider: $ref: '#/components/schemas/ActionConnectThirdPartyOAuthProvider' continue_to_otp_secret_creation: $ref: '#/components/schemas/ActionContinueToOTPSecretCreation' disconnect_thirdparty_oauth_provider: $ref: '#/components/schemas/ActionDisconnectThirdPartyOAuthProvider' email_create: $ref: '#/components/schemas/ActionEmailCreate' email_delete: $ref: '#/components/schemas/ActionEmailDelete' email_set_primary: $ref: '#/components/schemas/ActionEmailSetPrimary' email_verify: $ref: '#/components/schemas/ActionEmailVerify' otp_secret_delete: $ref: '#/components/schemas/ActionOTPSecretDelete' password_create: $ref: '#/components/schemas/ActionPasswordCreate' password_update: $ref: '#/components/schemas/ActionPasswordUpdate' password_delete: $ref: '#/components/schemas/ActionPasswordDelete' patch_metadata: $ref: '#/components/schemas/ActionPatchMetadata' security_key_create: $ref: '#/components/schemas/ActionSecurityKeyCreate' security_key_delete: $ref: '#/components/schemas/ActionSecurityKeyDelete' session_delete: $ref: '#/components/schemas/ActionSessionDelete' username_set: $ref: '#/components/schemas/ActionUsernameSet' username_delete: $ref: '#/components/schemas/ActionUsernameDelete' webauthn_credential_rename: $ref: '#/components/schemas/ActionWebauthnCredentialRename' webauthn_credential_create: $ref: '#/components/schemas/ActionWebauthnCredentialCreate' webauthn_credential_delete: $ref: '#/components/schemas/ActionWebauthnCredentialDelete' PayloadProfileData: type: object properties: user: $ref: '#/components/schemas/ProfileDataUser' ProfileDataSessions: description: List of active sessions for this user. type: array items: type: object properties: created_at: description: Time of creation of the session. type: string format: date-time current: description: Indicates whether this session is the session currently used. type: boolean expires_at: description: Time of expiry of the session. type: string format: date-time id: description: The ID of the session. type: string format: uuid ip_address: oneOf: - description: IPv4 address the session was initialized from. type: string format: ipv4 - description: IPv6 address the session was initialized from. type: string format: ipv6 last_used: description: Time of last usage of this session. type: string format: date-time user_agent: description: > User agent string consisting of the native platform that the browser is running on (Windows, Mac, Linux, Android, etc.) and a parenthesised name of the user agent. type: string user_agent_raw: description: > The complete user agent, i.e. the exact value of the `User-Agent` header the API received in the request(s) for establishing the session. type: string ActionsPasscodeConfirmation: type: object properties: verify_passcode: $ref: '#/components/schemas/ActionVerifyPasscode' resend_passcode: $ref: '#/components/schemas/ActionResendPasscode' back: $ref: '#/components/schemas/ActionBack' ActionsWebauthnVerifyAttestationResponse: description: ActionsWebauthnVerifyAttestationResponse type: object properties: webauthn_verify_attestation_response: $ref: '#/components/schemas/ActionWebauthnVerifyAttestationResponse' back: $ref: '#/components/schemas/ActionBack' PayloadCreationOptions: type: object properties: creation_options: $ref: '#/components/schemas/CredentialCreationOptions' required: - creation_options ActionsPreflight: type: object properties: register_client_capabilities: $ref: '#/components/schemas/ActionRegisterClientCapabilities' ActionsMFAOTPSecretCreation: type: object properties: otp_code_verify: $ref: '#/components/schemas/ActionOTPCodeVerify' back: $ref: '#/components/schemas/ActionBack' ActionsThirdParty: type: object properties: exchange_token: $ref: '#/components/schemas/ActionExchangeToken' back: $ref: '#/components/schemas/ActionBack' PayloadThirdParty: type: object properties: redirect_url: type: string format: uri required: - redirect_url Link: type: object properties: name: description: The name of the link. type: string href: description: The destination of the link. type: string format: uri category: description: The category of the link. type: string target: description: The target of the link. type: string enum: - _self - _blank - _parent - _top ActionAccountDelete: description: | Delete an account. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - account_delete ActionConnectThirdPartyOAuthProvider: description: Connect a third-party OAuth provider. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - connect_thirdparty_oauth_provider inputs: $ref: '#/components/schemas/InputsConnectThirdPartyOAuthProvider' ActionContinueToOTPSecretCreation: description: Continue to the `mfa_otp_secret_creation` state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - continue_to_otp_secret_creation ActionDisconnectThirdPartyOAuthProvider: description: Disconnect a third-party OAuth provider. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - disconnect_thirdparty_oauth_provider inputs: $ref: '#/components/schemas/InputsDisconnectThirdPartyOAuthProvider' ActionEmailCreate: description: Add an email. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - email_create inputs: $ref: '#/components/schemas/InputsEmailCreate' ActionEmailDelete: description: Delete an email. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - email_delete inputs: $ref: '#/components/schemas/InputsEmailDelete' ActionEmailSetPrimary: description: Set an email as the primary email. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - email_set_primary inputs: $ref: '#/components/schemas/InputsEmailSetPrimary' ActionEmailVerify: description: Verify an email. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - email_verify inputs: $ref: '#/components/schemas/InputsEmailVerify' ActionOTPSecretDelete: description: Delete an OTP secret. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - otp_secret_delete ActionPasswordCreate: description: Create a password. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - password_create inputs: $ref: '#/components/schemas/InputsPasswordCreate' ActionPasswordUpdate: description: Update a password. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - password_update inputs: $ref: '#/components/schemas/InputsPasswordUpdate' ActionPasswordDelete: description: Delete a password. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - password_delete ActionPatchMetadata: description: Patches the (unsafe) metadata of a user. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - patch_metadata inputs: $ref: '#/components/schemas/InputsPatchMetadata' ActionSecurityKeyCreate: description: Create a security key. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - security_key_create ActionSecurityKeyDelete: description: Delete a security key. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - security_key_delete inputs: $ref: '#/components/schemas/InputsSecurityKeyDelete' ActionSessionDelete: description: Revoke a session. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - session_delete inputs: $ref: '#/components/schemas/InputsSessionDelete' ActionUsernameSet: description: Set a username. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - username_set inputs: $ref: '#/components/schemas/InputsUsernameSet' ActionUsernameDelete: description: Delete a username. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - username_create ActionWebauthnCredentialRename: description: Rename a passkey. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_credential_rename inputs: $ref: '#/components/schemas/InputsWebauthnCredentialRename' ActionWebauthnCredentialCreate: description: Generate passkey creation options for registering a passkey. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_credential_create ActionWebauthnCredentialDelete: description: Delete a passkey. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_credential_delete inputs: $ref: '#/components/schemas/InputsWebauthnCredentialDelete' ProfileDataUser: description: Data pertaining to the user associated with the current session. type: object properties: user_id: type: string format: uuid passkeys: type: array items: $ref: '#/components/schemas/WebauthnCredential' security_keys: type: array items: $ref: '#/components/schemas/WebauthnCredential' emails: type: array items: type: object properties: id: type: string format: uuid address: type: string format: email is_primary: type: boolean is_verified: type: boolean identity: deprecated: true description: Deprecated. See `identities` instead. type: object properties: id: type: string description: Contains the ID of the user at the provider. provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. identities: deprecated: true description: Deprecated. See top-level `identities` instead. type: array items: type: object properties: id: type: string description: ID of the user at the provider provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. identities: description: The user's third party connections/identities. type: array items: type: object properties: id: type: string description: The ID of the user at the provider identity_id: type: string description: The identity's ID format: uuid4 provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. metadata: type: object properties: public_metadata: type: object additionalProperties: {} unsafe_metadata: type: object additionalProperties: {} mfa_config: type: object properties: auth_app_set_up: type: boolean description: >- Indicates whether the user has set up an authenticator app for 2FA. totp_enabled: type: boolean description: > Indicates whether 2FA via authenticator app is enabled on this tenant. To check whether a user has set up an authenticator app for 2FA, see [`payload.user.mfa_config.app_auth_set_up`](#response-one-of-1-payload-user-mfa-config-app-auth-set-up). security_keys_enabled: type: boolean description: > Indicates whether 2FA via security keys is enabled on this tenant. To check whether a user has enrolled security keys for 2FA, see [`payload.user.security_keys`](#response-one-of-1-payload-user-security-keys). created_at: type: string format: date-time updated_at: type: string format: date-time name: type: string given_name: type: string family_name: type: string picture: type: string format: uri ActionVerifyPasscode: description: Verify a passcode. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - verify_passcode inputs: $ref: '#/components/schemas/InputsVerifyPasscode' ActionResendPasscode: description: Resend a passcode. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - resend_passcode ActionBack: description: Go back to the previous state. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - back ActionWebauthnVerifyAttestationResponse: description: Verify an attestation response to complete a passkey registration. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - webauthn_verify_assertion_response inputs: $ref: '#/components/schemas/InputsWebauthnVerifyAttestationResponse' CredentialCreationOptions: description: Options for credential creation with the WebAuthn API externalDocs: url: https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions type: object properties: publicKey: type: object properties: rp: type: object properties: name: type: string example: Hanko Authentication Service id: type: string example: localhost user: type: object properties: id: type: string example: pPQT9rwJRD7gVncsnCDNyN name: type: string example: user@example.com displayName: type: string example: user@example.com challenge: type: string format: base64url example: 7qmkJUXR0dOFnsW48evX3qKdCzlGjvvqAAvMDN+KTN0= pubKeyCredParams: type: array items: type: object properties: type: type: string enum: - public-key alg: type: number example: - type: public-key alg: -7 timeout: type: number format: int64 example: 60000 authenticatorSelection: type: object properties: authenticatorAttachment: type: string enum: - platform - cross-platform example: platform requireResidentKey: type: boolean example: true residentKey: type: string enum: - discouraged - preferred - required example: preferred userVerification: type: string enum: - discouraged - preferred - required example: required attestation: type: string enum: - none - indirect - direct - enterprise example: none ActionRegisterClientCapabilities: description: >- Provide information about whether the client is capable of using passkeys (a.k.a. the Webauthn API). allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - register_client_capabilities inputs: $ref: '#/components/schemas/InputsRegisterClientCapabilities' ActionOTPCodeVerify: description: Verify an OTP code to set up (T)OTP MFA. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - otp_code_verify inputs: $ref: '#/components/schemas/InputsOTPCodeVerify' ActionExchangeToken: description: >- Exchange a one time token after a third party authentication for a session token. allOf: - $ref: '#/components/schemas/Action' - type: object properties: action: enum: - exchange_token inputs: $ref: '#/components/schemas/InputsExchangeToken' Action: description: Action type: object properties: action: description: The name of the action. type: string href: description: The action target as a URL relative to the API tenant base URL. type: string description: description: The description for the action. type: string inputs: description: > The inputs for the action. An input indicates that when making a request to perform an action, the `input_data` value of the request body must contain a key with the given `name` value of the respective input. The corresponding value for that key is specified by the remaining properties of the input. type: object InputsConnectThirdPartyOAuthProvider: $ref: '#/components/schemas/InputsThirdPartyOauth' InputsDisconnectThirdPartyOAuthProvider: type: object properties: identity_id: type: string format: uuid4 description: The ID of the third party identity to remove. InputsEmailCreate: type: object properties: email: $ref: '#/components/schemas/InputEmail' InputsEmailDelete: type: object properties: email_id: $ref: '#/components/schemas/InputEmailId' InputsEmailSetPrimary: type: object properties: email_id: $ref: '#/components/schemas/InputEmailId' InputsEmailVerify: type: object properties: email_id: $ref: '#/components/schemas/InputEmailId' InputsPasswordCreate: type: object properties: password: $ref: '#/components/schemas/InputPassword' InputsPasswordUpdate: type: object properties: password: $ref: '#/components/schemas/InputPassword' InputsPatchMetadata: type: object properties: patch_metadata: $ref: '#/components/schemas/InputPatchMetadata' InputsSecurityKeyDelete: type: object properties: security_key_id: $ref: '#/components/schemas/InputSecurityKeyID' InputsSessionDelete: type: object properties: session_id: $ref: '#/components/schemas/InputSessionID' InputsUsernameSet: type: object properties: username: $ref: '#/components/schemas/InputUsername' required: - username InputsWebauthnCredentialRename: type: object properties: passkey_id: $ref: '#/components/schemas/InputPasskeyId' passkey_name: $ref: '#/components/schemas/InputPasskeyName' required: - passkey_id - passkey_name InputsWebauthnCredentialDelete: type: object properties: passkey_id: $ref: '#/components/schemas/InputPasskeyId' required: - passkey_id WebauthnCredential: type: object properties: aaguid: type: string format: uuid attestation_type: type: string enum: - none - packed - tpm - android-key - android-safetynet - fido-u2f - apple backup_eligible: type: boolean backup_state: type: boolean created_at: type: string format: date-time id: type: string format: uuid last_used_at: type: string format: date-time mfa_only: type: boolean public-key: type: string transports: type: array items: type: string enum: - ble - internal - nfc - usb InputsVerifyPasscode: type: object properties: code: $ref: '#/components/schemas/InputCode' required: - code InputsWebauthnVerifyAttestationResponse: type: object properties: public_key: $ref: '#/components/schemas/InputPublicKey' required: - public_key InputsRegisterClientCapabilities: type: object properties: webauthn_available: $ref: '#/components/schemas/InputWebauthnAvailable' webauthn_conditional_mediation_available: $ref: '#/components/schemas/InputWebauthnConditionalMediationAvailable' webauthn_platform_authenticator_available: $ref: '#/components/schemas/InputWebauthnPlatformAuthenticatorAvailable' required: - webauthn_available InputsOTPCodeVerify: type: object properties: otp_code: $ref: '#/components/schemas/InputOTPCode' required: - otp_code InputsExchangeToken: type: object properties: token: $ref: '#/components/schemas/InputToken' InputsThirdPartyOauth: type: object properties: provider: $ref: '#/components/schemas/InputProvider' redirect_to: $ref: '#/components/schemas/InputRedirectTo' code_verifier: $ref: '#/components/schemas/InputCodeVerifier' required: - provider - redirect_to InputEmail: title: Email allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - email type: type: string enum: - email max_length: default: 120 required: default: true hidden: default: false InputEmailId: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - email_id type: type: string enum: - string required: default: true hidden: default: true InputPassword: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - password type: enum: - password min_length: default: 8 required: default: true hidden: default: false InputPatchMetadata: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - patch_metadata type: enum: - json required: default: true hidden: default: false InputSecurityKeyID: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - security_key_id type: enum: - string required: default: true hidden: default: true InputSessionID: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - session_id type: enum: - string required: default: true hidden: default: true InputUsername: title: Username allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - username type: enum: - string min_length: type: number enum: - 3 max_length: type: number enum: - 40 required: default: false hidden: default: false InputPasskeyId: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - passkey_id type: enum: - string required: default: true hidden: default: false InputPasskeyName: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - passkey_name type: enum: - string required: default: true hidden: default: false InputCode: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - code type: enum: - string min_length: default: 6 max_length: default: 6 required: default: true hidden: default: false InputPublicKey: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - public-key type: enum: - json required: default: true hidden: default: true InputWebauthnAvailable: description: > Indicates whether the client the device is capable of creating and using passkeys/WebAuthn credentials. allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_available type: type: string enum: - boolean InputWebauthnConditionalMediationAvailable: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_conditional_mediation_available type: type: string enum: - boolean InputWebauthnPlatformAuthenticatorAvailable: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: type: string enum: - webauthn_platform_authenticator_available type: type: string enum: - boolean InputOTPCode: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - otp_code type: enum: - string required: default: true hidden: default: false InputToken: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - token type: enum: - string required: default: true hidden: default: true InputProvider: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - provider type: enum: - string value: type: string required: default: true hidden: default: true allowed_values: items: properties: name: description: A display name to use for the provider. value: $ref: '#/components/schemas/InputProviderAllowedValue' InputRedirectTo: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - redirect_to type: enum: - string required: default: true hidden: default: true InputCodeVerifier: allOf: - $ref: '#/components/schemas/Input' - type: object properties: name: enum: - code_verifier type: enum: - string required: default: false hidden: default: true Input: type: object properties: name: type: string type: type: string required: type: boolean min_length: type: integer max_length: type: integer hidden: type: boolean value: type: string allowed_values: type: array items: type: object properties: name: type: string value: $ref: '#/components/schemas/AnyValue' InputProviderAllowedValue: type: string enum: - apple - discord - facebook - github - google - linkedin - microsoft AnyValue: description: Can be any value - string, number, boolean, array or object. securitySchemes: CookieAuth: type: apiKey in: cookie name: hanko BearerTokenAuth: type: http scheme: bearer bearerFormat: JWT ````