Logto blog

Discover Logto and explore plenty of resources on authentication, authorization, identity management, open standards (OAuth, OpenID Connect, SAML), and more.

Featured posts

Cover

Changelogs

  • release
  • SAML
  • SAML application
  • HTTP email connector

Logto product updates

It's time for a new Logto release! This update brings support on SAML applications, HTTP email connector with some bug fixes.

Darcy Ye
Darcy Ye
Developer
Logto product updates

Tech

  • authentication
  • authorization
  • oauth
  • openid-connect
  • oidc
  • application
  • api

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Tutorial

    Bring your own sign-in UI to Logto Cloud

    Bring your own sign-in UI to Logto Cloud

    All posts

    • Cover

      Tutorial

      • rbac
      • role design
      • rbac implementation

      RBAC in practice: Implementing secure authorization for your application

      Complete guide to Role-Based Access Control (RBAC): Master permission design, role management, and secure authorization with practical CMS implementation.

      RBAC in practice: Implementing secure authorization for your application
    • Cover

      Product

      • soc2
      • security
      • compliance

      Logto is now SOC 2 Type II compliant!

      Logto is now SOC 2 Type II compliant, proving our commitment to security.

      Logto is now SOC 2 Type II compliant!
    • Cover

      Tech

      • Logto cloud
      • Region
      • Japan

      Logto cloud muti-region support - Japan region coming soon

      Logto is adding a new data region in Japan! Contact us to join the waitlist.

      Logto cloud muti-region support - Japan region coming soon
    • Cover

      Product

      • Amazon Cognito
      • Pricing

      2025 Amazon Cognito's latest pricing explained and the best Amazon Cognito alternatives

      This article provides an overview and breaks down the key details of Amazon Cognito. It covers what Amazon Cognito is, a summary of its pricing, and the best alternatives to Amazon Cognito.

      2025 Amazon Cognito's latest pricing explained and the best Amazon Cognito alternatives
    • Cover

      Product

      • SAML
      • SSO
      • Identity Provider

      Simplify SAML app integration for developers

      Learn what SAML is, how to implement SSO, and quick steps to integrate SAML apps as an Identity Provider (IdP) or Service Provider (SP).

      Simplify SAML app integration for developers
    • Cover

      Tutorial

      • encore
      • protect api
      • api auth

      How to use Logto for your Encore application

      Learn how to use Logto for user authentication in your Encore backend application. In this guide we show you how to integrate your Go backend with Logto.

      How to use Logto for your Encore application
    • Cover

      Changelogs

      • release
      • SAML
      • SAML application
      • HTTP email connector

      Logto product updates

      It's time for a new Logto release! This update brings support on SAML applications, HTTP email connector with some bug fixes.

      Logto product updates
    • Cover

      Product

      • SaaS
      • Multi-tenant
      • B2B
      • Authentication

      What is B2B SaaS, and what will the post-SaaS era (2025+) with AI look like?

      A concise guide to B2B SaaS, covering key features, metrics (MRR, ARR, CAC, LTV), and the future of AI in SaaS. Get our idea and thoughts on how AI agents and dynamic systems will shape SaaS, and why human control remains essential. Ideal for SaaS developers and AI builders.

      What is B2B SaaS, and what will the post-SaaS era (2025+) with AI look like?
    • Cover

      Tech

      • saas development
      • multi-tenant saas
      • saas architecture
      • saas boilerplate

      Build a multi-tenant SaaS application: A complete guide from design to implementation

      Learn how to efficiently build a multi-tenant SaaS application with robust authentication, organization management, and role-based access control in just a few hours.

      Build a multi-tenant SaaS application: A complete guide from design to implementation
    • Cover

      Tech

      • 401
      • 403
      • http status code
      • authorization
      • authentication

      HTTP status code 401 or 403? How authentication and authorization errors differ

      401 Unauthorized indicates the client is not authenticated, requiring valid credentials. 403 Forbidden signifies the client is authenticated but lacks the necessary permissions to access the resource.

      HTTP status code 401 or 403? How authentication and authorization errors differ
    • Cover

      Changelogs

      • release

      Logto product updates

      It's time for a new Logto release! This update brings customizable MFA prompt policies, relaxed redirect URI restrictions for better real-world application support, and new social and SMS connectors contributed by our community.

      Logto product updates
    • Cover

      Tech

      • SSO
      • IdP
      • SAML
      • Enterprise SSO
      • OIDC

      SSO vs SAML, explained for everyone

      SSO, SAML are often used vaguely and can be interpreted in different ways. In this article, we’ll clarify these concepts, explain how they relate to each other, and provide real examples to make them easier to understand.

      SSO vs SAML, explained for everyone
    • Cover

      Tech

      • OTP
      • TOTP
      • MFA
      • HOTP
      • one-time password

      What is one-time password (OTP)?

      What is OTP? What is the difference between OTP and TOTP? How does OTP work? This article breaks down the basic concepts of OTP and why it is more preferred than static passwords.

      What is one-time password (OTP)?
    • Cover

      Product

      • token
      • oidc
      • refresh token
      • rotation
      • security

      What is refresh token rotation and why is it important?

      Dive in and let's talk about why refresh token rotation is an effective way to protect the safety of your refresh tokens.

      What is refresh token rotation and why is it important?
    • Cover

      Tech

      • security
      • encryption
      • jws
      • asymmetric
      • ec
      • rsa
      • public key
      • private key
      • token
      • signing jwt

      JWT signing algorithms overview

      Explore JSON Web Token (JWT) signing algorithms, covering two of the most popular asymmetric encryption approaches: RSA and EC. Learn about the pros and cons of each algorithm and how Logto uses them to secure your JWT tokens.

      JWT signing algorithms overview
    • Cover

      Tech

      • jwt
      • authentication
      • session
      • token
      • revoke jwt

      JWT vs Session authentication

      Learn the differences between session-based and JWT authentication. Explore trade-offs, advantages, and use cases to choose the proper authentication scheme for your apps.

      JWT vs Session authentication
    • Cover

      Product

      • pricing-update

      Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability

      Token changes will only affect Free plan users and new Pro users.

      Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability
    • Cover

      Tech

      • oidc
      • openid connect
      • oauth
      • authentication
      • authorization

      What is OIDC: From why we need it to how it works

      Learn what OIDC is, why it's needed, and how it works. Discover how OIDC extends OAuth 2.0 for authentication, understand its core components including ID Tokens, scopes and userinfo endpoint.

      What is OIDC: From why we need it to how it works
    • Cover

      Product

      • token
      • oidc
      • refresh token
      • access token
      • ID token

      Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol

      The OpenID Connect (OIDC) Protocol, has emerged as a widely adopted standard for identity management. But do you really understand the roles and attributes of these tokens?

      Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol
    • Cover

      Tutorial

      • redirect uri
      • callback
      • authorization code
      • code flow
      • oidc
      • pkce

      Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)

      Let's take a closer look at the redirect URI as it is a critical security component in OIDC authentication process.

      Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)