> ## Documentation Index > Fetch the complete documentation index at: https://docs.hanko.io/llms.txt > Use this file to discover all available pages before exploring further. # Get a user by ID ## OpenAPI ````yaml openapi-public get /users/{id} openapi: 3.0.0 info: version: 1.2.0 title: Hanko Public API description: > ## Introduction This is the OpenAPI specification for the [Hanko Public API](https://github.com/teamhanko/hanko/blob/main/backend/README.md#basic-usage). ## Authentication The API uses [JSON Web Tokens](https://www.rfc-editor.org/rfc/rfc7519.html) (JWTs) for authentication. JWTs are verified using [JSON Web Keys](https://www.rfc-editor.org/rfc/rfc7517) (JWK). JWKs can be [configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options) through the `secrets.keys` options. The API also publishes public cryptographic keys as a [JWK set](https://www.rfc-editor.org/rfc/rfc7517#section-2) through the `.well-known/jwks.json` endpoint to enable clients to verify token signatures. JWTs must be provided on requests to protected endpoints using one of the following schemes: ### CookieAuth **Security Scheme Type**: `API Key` **Cookie parameter name**: `hanko` The JWT must be provided in a Cookie with the name `hanko`. ### BearerTokenAuth **Security Scheme Type**: `http` **HTTP Authorization Scheme**: `Bearer` **Bearer format**: `JWT` The JWT must be provided in an HTTP Authorization header with bearer type: `Authorization: Bearer `. ## Cross-Origin Resource Sharing Cross-Origin Resource Sharing (CORS) can be currently [configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options) for public endpoints via the `server.public.cors` options. --- contact: email: developers@hanko.io license: name: AGPL-3.0-or-later url: https://www.gnu.org/licenses/agpl-3.0.txt servers: - url: https://{tenant_id}.hanko.io variables: tenant_id: default: '' description: The (UU)ID of a tenant. Replace the default value with your tenant ID. security: [] externalDocs: description: More about Hanko url: https://github.com/teamhanko/hanko paths: /users/{id}: get: tags: - User Management summary: Get a user by ID operationId: listUser parameters: - name: id in: path description: ID of the user required: true schema: $ref: '#/components/schemas/UUID4' responses: '200': $ref: '#/components/responses/GetUserByIdResponse' '400': $ref: '#/components/responses/BadRequest' '403': $ref: '#/components/responses/Forbidden' '404': $ref: '#/components/responses/NotFound' '500': $ref: '#/components/responses/InternalServerError' deprecated: true security: - CookieAuth: [] - BearerTokenAuth: [] components: schemas: UUID4: type: string format: uuid4 example: c339547d-e17d-4ba7-8a1d-b3d5a4d17c1c UserBase: type: object properties: id: description: The ID of the user. Deprecated, use `user_id` instead. deprecated: true allOf: - $ref: '#/components/schemas/UUID4' user_id: description: The ID of the user allOf: - $ref: '#/components/schemas/UUID4' emails: $ref: '#/components/schemas/Emails' created_at: description: Time of creation of the the user type: string format: date-time updated_at: description: Time of last update of the user type: string format: date-time passkeys: type: array items: $ref: '#/components/schemas/WebauthnCredential' example: - id: 5333cc5b-c7c4-48cf-8248-9c184ac72b65 name: iCloud public_key: pQECYyagASFYIBblARCP_at3cmprjzQN1lJ... attestation_type: packed aaguid: 01020304-0506-0708-0102-030405060708 last_used_at: '2026-02-24T21:40:36.26936Z' created_at: '2026-02-24T21:40:36.26936Z' transports: - internal backup_eligible: true backup_state: true mfa_only: false security_keys: type: array items: $ref: '#/components/schemas/WebauthnCredential' example: - id: f826013e-e7e3-4366-a6d8-9359effc8cdd name: Yubikey Bio public_key: aNMEEyadASFYIBblARCP_at3cmp4gg3zQN1lJ... attestation_type: packed aaguid: 90636e1f-ef82-43bf-bdcf-5255f139d12f last_used_at: '2026-02-24T21:40:36.26936Z' created_at: '2026-02-24T21:40:36.26936Z' transports: - usb backup_eligible: true backup_state: false mfa_only: true metadata: $ref: '#/components/schemas/UserMetadata' name: type: string given_name: type: string family_name: type: string picture: type: string format: uri mfa_config: type: object properties: auth_app_set_up: type: boolean totp_enabled: type: boolean security_key_enabled: type: boolean WebauthnCredentials: description: A list of WebAuthn credentials type: array items: $ref: '#/components/schemas/WebauthnCredential' example: - id: 5333cc5b-c7c4-48cf-8248-9c184ac72b65 name: iCloud public_key: pQECYyagASFYIBblARCP_at3cmprjzQN1lJ... attestation_type: packed aaguid: 01020304-0506-0708-0102-030405060708 last_used_at: '2026-02-24T21:40:36.26936Z' created_at: '2026-02-24T21:40:36.26936Z' transports: - internal backup_eligible: true backup_state: true mfa_only: false - id: f826013e-e7e3-4366-a6d8-9359effc8cdd name: Yubikey Bio public_key: aNMEEyadASFYIBblARCP_at3cmp4gg3zQN1lJ... attestation_type: packed aaguid: 90636e1f-ef82-43bf-bdcf-5255f139d12f last_used_at: '2026-02-24T21:40:36.26936Z' created_at: '2026-02-24T21:40:36.26936Z' transports: - usb backup_eligible: true backup_state: false mfa_only: true Error: type: object required: - code - message properties: code: type: integer format: int32 message: type: string Emails: type: array items: type: object properties: id: description: The ID of the email address allOf: - $ref: '#/components/schemas/UUID4' address: description: The email address type: string format: email is_verified: description: Indicated the email has been verified. type: boolean is_primary: description: Indicates it's the primary email address. type: boolean identity: allOf: - $ref: '#/components/schemas/Identity' - deprecated: true - description: Deprecated, use `user.identities` instead. identities: allOf: - $ref: '#/components/schemas/Identities' - deprecated: true - description: Deprecated, use `user.identities` instead. example: - id: 5333cc5b-c7c4-48cf-8248-9c184ac72b65 address: john.doe@example.com is_verified: true is_primary: false WebauthnCredential: type: object properties: aaguid: type: string format: uuid attestation_type: type: string enum: - none - packed - tpm - android-key - android-safetynet - fido-u2f - apple backup_eligible: type: boolean backup_state: type: boolean created_at: type: string format: date-time id: type: string format: uuid last_used_at: type: string format: date-time mfa_only: type: boolean name: type: string public-key: type: string transports: type: array items: type: string enum: - ble - internal - nfc - usb UserMetadata: description: The public and unsafe metadata of a user type: object properties: public_metadata: type: object additionalProperties: true example: role: admin unsafe_metadata: type: object additionalProperties: true example: birthday: '2025-05-12' Identity: type: object description: Representation of a user's third party connection/identity. properties: id: type: string description: The ID of the user at the provider identity_id: type: string description: The identity's ID format: uuid4 provider: type: string description: > Contains the display name of the provider, if available. Otherwise contains the provider ID. Identities: description: The user's third party connections/identities. type: array items: $ref: '#/components/schemas/Identity' responses: GetUserByIdResponse: description: Details for a user retrieved by ID content: application/json: schema: type: object allOf: - $ref: '#/components/schemas/UserBase' - type: object properties: email: description: The email address of the user type: string format: email username: description: The username of the user type: string webauthn_credentials: $ref: '#/components/schemas/WebauthnCredentials' BadRequest: description: Bad Request content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 400 message: Bad Request Forbidden: description: Forbidden content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 403 message: Forbidden NotFound: description: Not Found content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 404 message: Not found InternalServerError: description: Internal server error content: application/json: schema: $ref: '#/components/schemas/Error' example: code: 500 message: Internal Server Error securitySchemes: CookieAuth: type: apiKey in: cookie name: hanko BearerTokenAuth: type: http scheme: bearer bearerFormat: JWT ````