Logto blog

Discover Logto and explore plenty of resources on authentication, authorization, identity management, open standards (OAuth, OpenID Connect, SAML), and more.

Featured posts

Cover

Changelogs

  • release

Logto product updates

It's time for a new Logto release! This month, we're introducing the new Account API for direct user management, Microsoft EntraID SSO connector enhancements and improved sign-in experience features.

Yijun
Yijun
Developer
Logto product updates

Tech

  • authentication
  • authorization
  • oauth
  • openid-connect
  • oidc
  • application
  • api

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Secure cloud-based applications with OAuth 2.0 and OpenID Connect

Tutorial

  • custom-ui
  • bring-your-own-ui
  • custom-sign-in
  • custom-auth-flow

Bring your own sign-in UI to Logto Cloud

Bring your own sign-in UI to Logto Cloud

All posts

  • Cover

    Tech

    • jwt
    • authentication
    • session
    • token
    • revoke jwt

    JWT vs Session authentication

    Learn the differences between session-based and JWT authentication. Explore trade-offs, advantages, and use cases to choose the proper authentication scheme for your apps.

    JWT vs Session authentication
  • Cover

    Product

    • pricing-update

    Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability

    Token changes will only affect Free plan users and new Pro users.

    Logto plan update: Optimizing token quotas to protect Logto from abuse and ensure reliability
  • Cover

    Product

    • token
    • oidc
    • refresh token
    • access token
    • ID token

    Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol

    The OpenID Connect (OIDC) Protocol, has emerged as a widely adopted standard for identity management. But do you really understand the roles and attributes of these tokens?

    Understanding access tokens, refresh tokens, and ID tokens in OpenID Connect (OIDC) protocol
  • Cover

    Tech

    • oidc
    • openid connect
    • oauth
    • authentication
    • authorization

    What is OIDC: From why we need it to how it works

    Learn what OIDC is, why it's needed, and how it works. Discover how OIDC extends OAuth 2.0 for authentication, understand its core components including ID Tokens, scopes and userinfo endpoint.

    What is OIDC: From why we need it to how it works
  • Cover

    Tutorial

    • redirect uri
    • callback
    • authorization code
    • code flow
    • oidc
    • pkce

    Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)

    Let's take a closer look at the redirect URI as it is a critical security component in OIDC authentication process.

    Understanding Redirect URI and Authorization Code Flow in OpenID Connect (OIDC)
  • Cover

    Tech

    • OIDC
    • SAML
    • SSO
    • authentication
    • authorization

    SAML vs OIDC

    SAML and OIDC are the two most popular authentication protocols used in the SSO industry. This article will compare SAML and OIDC in terms of their architecture, and use cases.

    SAML vs OIDC
  • Cover

    Product

    • pricing
    • auth0 alternatives
    • auth0

    2024 Auth0's latest pricing explained and the best Auth0 alternatives

    Auth0 has updated its pricing twice within a year. This article provides an overview and breaks down the key details. It covers what Auth0 is, a summary of its pricing, and the best alternatives to Auth0.

    2024 Auth0's latest pricing explained and the best Auth0 alternatives
  • Cover

    Tech

    • client assertion
    • client assertion type
    • generate client assertion
    • oidc
    • oauth

    What is client assertion in OAuth 2.0 client authentication?

    Introduces what client assertion is and provides a detailed guide on how to generate a client assertion in OAuth 2.0. It also briefly compares client assertion with the traditional client ID and client secret method, offering insights on how to choose the most suitable authentication approach.

    What is client assertion in OAuth 2.0 client authentication?
  • Cover

    Tech

    • mfa
    • 2fa
    • totp
    • nodejs
    • security
    • authentication
    • authenticator app
    • otplib

    How to implement two-factor authentication (2FA) in Node.js with authenticator apps

    Learn how to implement two-factor authentication (2FA) in Node.js using authenticator apps, TOTP, and the otplib library. This step-by-step guide covers everything from generating QR codes to verifying authentication codes.

    How to implement two-factor authentication (2FA) in Node.js with authenticator apps
  • Cover

    Product

    • OTP bots
    • MFA
    • Authentication
    • Security
    • Passwordless

    OTP bots: What they are and how to prevent attacks

    Learn what OTP bots are, how they exploit one-time passwords with real cases, and strategies to protect your business from these cyber threats. This guide offers actionable tips for professionals in product development and enterprise management.

    OTP bots: What they are and how to prevent attacks
  • Cover

    Product

    • authenticator app
    • 2FA
    • MFA
    • TOTP
    • Google Authenticator
    • Microsoft Authenticator

    What is an authenticator app

    Learn what an authenticator app is and how it protects your accounts. Includes a detailed explanation of how it works and a step-by-step example guide to use an authenticator app.

    What is an authenticator app
  • Cover

    Tech

    • saas
    • multi-tenancy
    • postgres
    • row-level security
    • rls
    • trigger function
    • multi-tenant architecture
    • single-tenant architecture

    Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example

    Learn how to implement multi-tenant architecture with PostgreSQL Row-Level Security (RLS) and database roles through a real-world example for secure data isolation between tenants.

    Multi-tenancy implementation with PostgreSQL: Learn through a simple real-world example
  • Cover

    Tech

    • authz
    • authn
    • concept

    What is AuthZ (Authorization)?

    Explore the definition of AuthZ, AuthN vs AuthZ, how the AuthZ works, and authorization best practices.

    What is AuthZ (Authorization)?
  • Cover

    Tech

    • iam
    • oauth
    • openid-connect
    • saml
    • sso
    • jwt

    Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article

    The world of identity and access management (IAM) can feel overwhelming and confusing. But don’t worry - this article will break down the basics of them to help you see the bigger picture and navigate this complex field with confidence.

    Understand IAM, OAuth, OpenID Connect, SAML, SSO, and JWT in one article
  • Cover

    Changelogs

    • release

    Logto product updates

    It's time for a new Logto release! This month, we're introducing the new Account API for direct user management, Microsoft EntraID SSO connector enhancements and improved sign-in experience features.

    Logto product updates
  • Cover

    Tech

    • cookie
    • nextjs
    • serverless

    How to fix cookie size exceeded error by splitting cookies

    A solution for cookie size exceeded error: split the cookie into multiple smaller cookies and reconstruct them on the server side. This solution works especially well for serverless platforms without requiring additional infrastructure.

    How to fix cookie size exceeded error by splitting cookies
  • Cover

    Tech

    • OIDC
    • SSO
    • authentication

    OIDC session management

    This article explains how OIDC sessions and user authentication status are managed in the context of interactions between the IdP and SP.

    OIDC session management
  • Cover

    Tutorial

    • authentication
    • tutorial
    • sign up
    • webhook

    How to set up invitation-only sign-up in Logto

    Invitation-only sign-up is a common use case. It enhances exclusivity and security while potentially boosting engagement and retention for early-stage products.

    How to set up invitation-only sign-up in Logto
  • Cover

    Tech

    • passwordless
    • one-time password
    • otp
    • time-based otp
    • hash-based otp

    How does one-time-password (OTP) work?

    In this article, we will introduced two different one-time password methods: email/phone + verification code and dynamic code.

    How does one-time-password (OTP) work?
  • Cover

    Product

    • 404-not-found
    • logto-unknown-session
    • authorization-code-flow

    Why you might see a 404 when signing in to your Logto-integrated app

    Have you ever encountered a "404 Not Found" error when you tried to sign in to a Logto-integrated app? This blog post explains why this happens and what you can do to avoid it.

    Why you might see a 404 when signing in to your Logto-integrated app