Logto blog

Discover Logto and explore plenty of resources on authentication, authorization, identity management, open standards (OAuth, OpenID Connect, SAML), and more.

Featured posts

Cover

Changelogs

  • release

Logto product updates

It's time for a new Logto release! This update brings customizable MFA prompt policies, relaxed redirect URI restrictions for better real-world application support, and new social and SMS connectors contributed by our community.

Yijun
Yijun
Developer
Logto product updates

Tech

  • authentication
  • authorization
  • oauth
  • openid-connect
  • oidc
  • application
  • api

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Tutorial

    Bring your own sign-in UI to Logto Cloud

    Bring your own sign-in UI to Logto Cloud

    All posts

    • Cover

      Tech

      • 401
      • 403
      • http status code
      • authorization
      • authentication

      HTTP status code 401 or 403? How authentication and authorization errors differ

      401 Unauthorized indicates the client is not authenticated, requiring valid credentials. 403 Forbidden signifies the client is authenticated but lacks the necessary permissions to access the resource.

      HTTP status code 401 or 403? How authentication and authorization errors differ
    • Cover

      Changelogs

      • release

      Logto product updates

      It's time for a new Logto release! This update brings customizable MFA prompt policies, relaxed redirect URI restrictions for better real-world application support, and new social and SMS connectors contributed by our community.

      Logto product updates
    • Cover

      Tech

      • OTP
      • TOTP
      • MFA
      • HOTP
      • one-time password

      What is one-time password (OTP)?

      What is OTP? What is the difference between OTP and TOTP? How does OTP work? This article breaks down the basic concepts of OTP and why it is more preferred than static passwords.

      What is one-time password (OTP)?
    • Cover

      Tech

      • SSO
      • IdP
      • SAML
      • Enterprise SSO
      • OIDC

      SSO vs SAML, explained for everyone

      SSO, SAML are often used vaguely and can be interpreted in different ways. In this article, we’ll clarify these concepts, explain how they relate to each other, and provide real examples to make them easier to understand.

      SSO vs SAML, explained for everyone
    • Cover

      Product

      • token
      • oidc
      • refresh token
      • rotation
      • security

      What is refresh token rotation and why is it important?

      Dive in and let's talk about why refresh token rotation is an effective way to protect the safety of your refresh tokens.

      What is refresh token rotation and why is it important?
    • Cover

      Tech

      • security
      • encryption
      • jws
      • asymmetric
      • ec
      • rsa
      • public key
      • private key
      • token
      • signing jwt

      JWT signing algorithms overview

      Explore JSON Web Token (JWT) signing algorithms, covering two of the most popular asymmetric encryption approaches: RSA and EC. Learn about the pros and cons of each algorithm and how Logto uses them to secure your JWT tokens.

      JWT signing algorithms overview
    • Cover

      Tech

      • jwt
      • authentication
      • session
      • token
      • revoke jwt

      JWT vs Session authentication

      Learn the differences between session-based and JWT authentication. Explore trade-offs, advantages, and use cases to choose the proper authentication scheme for your apps.

      JWT vs Session authentication
    • Cover

      Product

      • pricing-update

      Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability

      Token changes will only affect Free plan users and new Pro users.

      Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability
    • Cover

      Tech

      • oidc
      • openid connect
      • oauth
      • authentication
      • authorization

      What is OIDC: From why we need it to how it works

      Learn what OIDC is, why it's needed, and how it works. Discover how OIDC extends OAuth 2.0 for authentication, understand its core components including ID Tokens, scopes and userinfo endpoint.

      What is OIDC: From why we need it to how it works
    • Cover

      Product

      • token
      • oidc
      • refresh token
      • access token
      • ID token

      Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol

      The OpenID Connect (OIDC) Protocol, has emerged as a widely adopted standard for identity management. But do you really understand the roles and attributes of these tokens?

      Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol
    • Cover

      Tutorial

      • redirect uri
      • callback
      • authorization code
      • code flow
      • oidc
      • pkce

      Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)

      Let's take a closer look at the redirect URI as it is a critical security component in OIDC authentication process.

      Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)
    • Cover

      Tech

      • OIDC
      • SAML
      • SSO
      • authentication
      • authorization

      SAML vs OIDC

      SAML and OIDC are the two most popular authentication protocols used in the SSO industry. This article will compare SAML and OIDC in terms of their architecture, and use cases.

      SAML vs OIDC
    • Cover

      Product

      • pricing
      • auth0 alternatives
      • auth0

      2025 Auth0's latest pricing explained and the best Auth0 alternatives

      Auth0 has updated its pricing twice within a year. This article provides an overview and breaks down the key details. It covers what Auth0 is, a summary of its pricing, and the best alternatives to Auth0.

      2025 Auth0's latest pricing explained and the best Auth0 alternatives
    • Cover

      Tech

      • client assertion
      • client assertion type
      • generate client assertion
      • oidc
      • oauth

      What is client assertion in OAuth 2.0 client authentication?

      Introduces what client assertion is and provides a detailed guide on how to generate a client assertion in OAuth 2.0. It also briefly compares client assertion with the traditional client ID and client secret method, offering insights on how to choose the most suitable authentication approach.

      What is client assertion in OAuth 2.0 client authentication?
    • Cover

      Tech

      • mfa
      • 2fa
      • totp
      • nodejs
      • security
      • authentication
      • authenticator app
      • otplib

      How to implement two-factor authentication (2FA) in Node.js with authenticator apps

      Learn how to implement two-factor authentication (2FA) in Node.js using authenticator apps, TOTP, and the otplib library. This step-by-step guide covers everything from generating QR codes to verifying authentication codes.

      How to implement two-factor authentication (2FA) in Node.js with authenticator apps
    • Cover

      Product

      • authenticator app
      • 2FA
      • MFA
      • TOTP
      • Google Authenticator
      • Microsoft Authenticator

      What is an authenticator app

      Learn what an authenticator app is and how it protects your accounts. Includes a detailed explanation of how it works and a step-by-step example guide to use an authenticator app.

      What is an authenticator app
    • Cover

      Product

      • OTP bots
      • MFA
      • Authentication
      • Security
      • Passwordless

      OTP bots: What they are and how to prevent attacks

      Learn what OTP bots are, how they exploit one-time passwords with real cases, and strategies to protect your business from these cyber threats. This guide offers actionable tips for professionals in product development and enterprise management.

      OTP bots: What they are and how to prevent attacks
    • Cover

      Tech

      • authz
      • authn
      • concept

      What is AuthZ (Authorization)?

      Explore the definition of AuthZ, AuthN vs AuthZ, how the AuthZ works, and authorization best practices.

      What is AuthZ (Authorization)?
    • Cover

      Tech

      • saas
      • multi-tenancy
      • postgres
      • row-level security
      • rls
      • trigger function
      • multi-tenant architecture
      • single-tenant architecture

      Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example

      Learn how to implement multi-tenant architecture with PostgreSQL Row-Level Security (RLS) and database roles through a real-world example for secure data isolation between tenants.

      Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example
    • Cover

      Tech

      • iam
      • oauth
      • openid-connect
      • saml
      • sso
      • jwt

      Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article

      The world of identity and access management (IAM) can feel overwhelming and confusing. But don’t worry - this article will break down the basics of them to help you see the bigger picture and navigate this complex field with confidence.

      Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article