> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hanko.io/llms.txt
> Use this file to discover all available pages before exploring further.
# Get a list of WebAuthn credentials
> Returns a list of WebAuthn credentials assigned to the current user.
Deprecated. Please use the [Flow API](/api-reference/flow/registration) instead. [What's the Flow API?](/using-the-api/understanding-the-flow-api).
## OpenAPI
````yaml openapi-public get /webauthn/credentials
openapi: 3.0.0
info:
version: 1.2.0
title: Hanko Public API
description: >
## Introduction
This is the OpenAPI specification for the [Hanko Public
API](https://github.com/teamhanko/hanko/blob/main/backend/README.md#basic-usage).
## Authentication
The API uses [JSON Web Tokens](https://www.rfc-editor.org/rfc/rfc7519.html)
(JWTs) for authentication.
JWTs are verified using [JSON Web
Keys](https://www.rfc-editor.org/rfc/rfc7517) (JWK).
JWKs can be
[configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options)
through the `secrets.keys` options. The API also publishes public
cryptographic keys as a
[JWK set](https://www.rfc-editor.org/rfc/rfc7517#section-2) through the
`.well-known/jwks.json` endpoint
to enable clients to verify token signatures.
JWTs must be provided on requests to protected endpoints using one of the
following schemes:
### CookieAuth
**Security Scheme Type**: `API Key`
**Cookie parameter name**: `hanko`
The JWT must be provided in a Cookie with the name `hanko`.
### BearerTokenAuth
**Security Scheme Type**: `http`
**HTTP Authorization Scheme**: `Bearer`
**Bearer format**: `JWT`
The JWT must be provided in an HTTP Authorization header with bearer type:
`Authorization: Bearer `.
## Cross-Origin Resource Sharing
Cross-Origin Resource Sharing (CORS) can be currently
[configured](https://github.com/teamhanko/hanko/blob/main/backend/docs/Config.md#all-available-config-options)
for public endpoints via the `server.public.cors` options.
---
contact:
email: developers@hanko.io
license:
name: AGPL-3.0-or-later
url: https://www.gnu.org/licenses/agpl-3.0.txt
servers:
- url: https://{tenant_id}.hanko.io
variables:
tenant_id:
default: ''
description: The (UU)ID of a tenant. Replace the default value with your tenant ID.
security: []
externalDocs:
description: More about Hanko
url: https://github.com/teamhanko/hanko
paths:
/webauthn/credentials:
get:
tags:
- WebAuthn
summary: Get a list of WebAuthn credentials
description: |
Returns a list of WebAuthn credentials assigned to the current user.
operationId: listCredentials
responses:
'200':
description: A list of WebAuthn credentials assigned to the current user
content:
application/json:
schema:
$ref: '#/components/schemas/WebauthnCredentials'
'401':
$ref: '#/components/responses/Unauthorized'
'500':
$ref: '#/components/responses/InternalServerError'
deprecated: true
security:
- CookieAuth: []
- BearerTokenAuth: []
components:
schemas:
WebauthnCredentials:
description: A list of WebAuthn credentials
type: array
items:
$ref: '#/components/schemas/WebauthnCredential'
example:
- id: 5333cc5b-c7c4-48cf-8248-9c184ac72b65
name: iCloud
public_key: pQECYyagASFYIBblARCP_at3cmprjzQN1lJ...
attestation_type: packed
aaguid: 01020304-0506-0708-0102-030405060708
last_used_at: '2026-02-24T21:40:36.26936Z'
created_at: '2026-02-24T21:40:36.26936Z'
transports:
- internal
backup_eligible: true
backup_state: true
mfa_only: false
- id: f826013e-e7e3-4366-a6d8-9359effc8cdd
name: Yubikey Bio
public_key: aNMEEyadASFYIBblARCP_at3cmp4gg3zQN1lJ...
attestation_type: packed
aaguid: 90636e1f-ef82-43bf-bdcf-5255f139d12f
last_used_at: '2026-02-24T21:40:36.26936Z'
created_at: '2026-02-24T21:40:36.26936Z'
transports:
- usb
backup_eligible: true
backup_state: false
mfa_only: true
WebauthnCredential:
type: object
properties:
aaguid:
type: string
format: uuid
attestation_type:
type: string
enum:
- none
- packed
- tpm
- android-key
- android-safetynet
- fido-u2f
- apple
backup_eligible:
type: boolean
backup_state:
type: boolean
created_at:
type: string
format: date-time
id:
type: string
format: uuid
last_used_at:
type: string
format: date-time
mfa_only:
type: boolean
name:
type: string
public-key:
type: string
transports:
type: array
items:
type: string
enum:
- ble
- internal
- nfc
- usb
Error:
type: object
required:
- code
- message
properties:
code:
type: integer
format: int32
message:
type: string
responses:
Unauthorized:
description: Unauthorized
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
example:
code: 401
message: Unauthorized
InternalServerError:
description: Internal server error
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
example:
code: 500
message: Internal Server Error
securitySchemes:
CookieAuth:
type: apiKey
in: cookie
name: hanko
BearerTokenAuth:
type: http
scheme: bearer
bearerFormat: JWT
````