Hanko · Agentic Access
Hanko Agentic Access
x-agentic-access
generated
Hanko exposes 84 API operations that an AI agent could call, of which 53 are state-changing ‘acting’ operations. This is a recommended x-agentic-access execution contract — the scope, audience, consequence tier, short-lived token constraints, and escalation each action should carry before it is handed to an autonomous agent.
By consequence: 31 read and 53 write.
Contracts are classified heuristically from the provider’s OpenAPI and refresh on every APIs.io network build; audience is bound per deployment. The model follows Curity’s Access Intelligence (apidays Munich 2026). Browse every provider’s agent contracts at agentic-access.apis.io.
AuthenticationPasskeysWebAuthnFIDO2IdentityOAuthSAMLPasswordlessOpen Source
Operations: 84
Acting: 53
Human-in-the-loop: 0
Method: generated
By consequence
read 31
write 53
Source
Agentic Access
generated: '2026-07-15'
method: generated
source: openapi/hanko-admin-api-openapi.yml, openapi/hanko-flow-api-openapi.yml, openapi/hanko-passkey-api-openapi.yml,
openapi/hanko-public-api-openapi.yml
description: Recommended x-agentic-access execution contracts, classified heuristically from
the OpenAPI. A governance starting point for exposing this API to AI agents — review and bind
audience per deployment. See research/curity/agentic-governance/.
summary:
operations: 84
by_action_class:
connected: 31
acting: 53
by_consequence:
read: 31
write: 53
human_in_the_loop_required: 0
operations:
- path: /
method: get
operationId: status
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users
method: get
operationId: listUsers
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users
method: post
operationId: createUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}
method: delete
operationId: deleteUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}
method: get
operationId: getUser
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}
method: patch
operationId: patchUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /audit_logs
method: get
operationId: listAuditLogs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /metrics
method: get
operationId: getMetrics
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /webhooks
method: get
operationId: list-webhooks
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /webhooks
method: post
operationId: create-db-webhooks
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webhooks/{id}
method: get
operationId: get-webhooks-id
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /webhooks/{id}
method: delete
operationId: delete-webhooks-id
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webhooks/{id}
method: put
operationId: put-webhooks-id
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/emails
method: get
operationId: get-users-id-emails
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/emails
method: post
operationId: post-users-id-emails
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/emails/{email_id}
method: get
operationId: get-users-id-emails-email_id
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/emails/{email_id}
method: delete
operationId: delete-users-emails-email_id
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/emails/{email_id}/set_primary
method: post
operationId: post-users-emails-email_id-set_primary
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/metadata
method: get
operationId: get-user-metadata
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/metadata
method: patch
operationId: patch-user-metadata
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/sessions
method: get
operationId: get-users-sessions
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/sessions/{session_id}
method: delete
operationId: delete-users-sessions-session_id
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/otp
method: get
operationId: get-users-otp
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/otp
method: delete
operationId: delete-users-otp
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/webauthn_credentials
method: get
operationId: get-users-webauthn_credentials
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/webauthn_credentials/{credential_id}
method: get
operationId: get-users-webauthn_credentials-credential_id
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/webauthn_credentials/{credential_id}
method: delete
operationId: delete-users-webauthn_credentials-credential_id
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/password
method: get
operationId: get-users-password
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /users/{id}/password
method: post
operationId: post-users-password
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/password
method: put
operationId: put-users-password
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}/password
method: delete
operationId: delete-users-password
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /sessions
method: post
operationId: post_sessions
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /registration
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /login
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /profile
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /token_exchange
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/credentials
method: get
operationId: get-credentials
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{tenant_id}/credentials/{credential_id}
method: get
operationId: get-credentials-credentialId
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{tenant_id}/credentials/{credential_id}
method: patch
operationId: patch-credentials-credentialId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/credentials/{credential_id}
method: delete
operationId: delete-credentials-credentialId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/registration/initialize
method: post
operationId: post-registration-initialize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/registration/finalize
method: post
operationId: post-registration-finalize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/login/initialize
method: post
operationId: post-login-initialize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/login/finalize
method: post
operationId: post-login-finalize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/.well-known/jwks.json
method: get
operationId: get-.well-known-jwks.json
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /{tenant_id}/transaction/initialize
method: post
operationId: post-tenant_id-transaction-initialize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/transaction/finalize
method: post
operationId: post-tenant_id-transaction-finalize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/mfa/registration/initialize
method: post
operationId: post-mfa-registration-initialize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/mfa/registration/finalize
method: post
operationId: post-mfa-registration-finalize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/mfa/login/initialize
method: post
operationId: post-mfa-login-initialize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/mfa/login/finalize
method: post
operationId: post-mfa-login-finalize
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /{tenant_id}/audit_logs
method: get
operationId: get-tenants-tenant_id-audit_logs
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /
method: get
operationId: status
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /passcode/login/initialize
method: post
operationId: passcodeInit
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /passcode/login/finalize
method: post
operationId: passcodeFinal
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /password/login
method: post
operationId: passwordLogin
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /password
method: put
operationId: password
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/login/initialize
method: post
operationId: webauthnLoginInit
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/login/finalize
method: post
operationId: webauthnLoginFinal
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/registration/initialize
method: post
operationId: webauthnRegInit
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/registration/finalize
method: post
operationId: webauthnRegFinal
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/credentials
method: get
operationId: listCredentials
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /webauthn/credentials/{id}
method: patch
operationId: updateCredential
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /webauthn/credentials/{id}
method: delete
operationId: deleteCredential
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /.well-known/jwks.json
method: get
operationId: getJwks
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /.well-known/config
method: get
operationId: getConfig
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /saml/provider
method: get
operationId: get-saml-provider
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /saml/metadata
method: get
operationId: get-saml-metadata
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /saml/callback
method: post
operationId: post-saml-callback
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /sessions/validate
method: get
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /sessions/validate
method: post
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /thirdparty/auth
method: get
operationId: thirdPartyAuth
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /thirdparty/callback
method: get
operationId: thirdPartyCallback
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /token
method: post
operationId: token
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /user
method: post
operationId: getUserId
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /user
method: delete
operationId: deleteUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /me
method: get
operationId: IsUserAuthorized
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /logout
method: post
operationId: logout
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users
method: post
operationId: createUser
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /users/{id}
method: get
operationId: listUser
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /emails
method: get
operationId: listEmails
x-agentic-access:
action-class: connected
consequence: read
subject: optional
token:
max-ttl: 3600
audit: none
- path: /emails
method: post
operationId: createEmail
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /emails/{id}/set_primary
method: post
operationId: setPrimaryEmail
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required
- path: /emails/{id}
method: delete
operationId: deleteEmail
x-agentic-access:
action-class: acting
consequence: write
subject: required
audience: null
token:
max-ttl: 900
escalation:
human-in-the-loop: conditional
triggers:
- abnormal
- high-value
audit: required