Learn the differences between Personal Access Tokens (PATs), Machine-to-Machine (M2M) authentication, and API Keys, and how they can be used.

We would like to share some important updates regarding our Pro plan and how it will enhance your experience with Logto.

React.lazy is a great way to load components on demand and improve the performance of your app. However, sometimes it can lead to some issues like "ChunkLoadError" and "Loading chunk failed".

Learn how to enhance the user sign-up experience with Logto authentication parameters.

This article will compare webhooks vs. polling, analyze the advantages and disadvantages of each approach, and discuss when to use which.

Incident report for the unexpected 500 error returned from authentication services on Jul 18, 2024.

Debunking the "POST only" API myth, explaining why it stems from a misunderstanding of API design principles, and clarifies the appropriate use cases for RESTful and RPC architectural styles.

Slash authentication setup time to under one hour with Logto! With no-code integration, a free built-in email service, step-by-step guides of social connection, and one-click authentication flow configuration, Logto make authentication a breeze.

Explore how Demonstrating Proof of Possession (DPoP) enhances the security of OpenID Connect (OIDC) by binding tokens to client instances, mitigating replay attacks, and reducing the risk of token theft.

Learn how to use Postman to obtain a machine-to-machine access token and call Logto management API in minutes.

Last month we introduced a loooot of new features and improvements. We also have big news about compliance to share.

Sometimes your GitHub Actions workflow is moody and fails for random reasons. Let's see how you can automatically rerun it to save you time.

Just-in-Time provisioning is a process used in identity and access management systems to create user accounts on the fly as they sign in to a system for the first time. This article explains the basics of Just-in-Time provisioning and answers common questions about its implementation.

Role-based access control (RBAC) and attribute-based access control (ABAC) are two of the most popular access control models. In this post, we will give a brief overview of both models and discuss their differences.

We will introduct GraphQL in this article and compare it with REST API.

Discuss the reasons why you should consider PostgreSQL over MongoDB for your next project.

Learn how to create a custom SDK for Logto using `@logto/node`.

Learn how to create a custom social connector for Logto in just a few steps.

In this article, we will reemphasize the definition of the Logto Management API, explain how it works, and showcase typical scenarios to boost your productivity and unlock more use cases.

Learn how OIDC back-channel logout works and why it is important in modern identity solutions.

Since the initial release of OAuth 2.0, the internet has evolved significantly. Security threats have become more sophisticated. In response to these changes, the OAuth 2.1 specification has been planned. Let's explore the key differences between OAuth 2.0 and OAuth 2.1 and how they were adopted in Logto.

This guide provides an overview of URI, URL, and URN, explaining their differences and use cases.

Learn how to use PostgreSQL's JSONB type to efficiently store, query, and manipulate JSON data.

We are excited to share the latest updates to compliance and new features.

Learn how to create a custom SDK for Logto using `@logto/browser`.

Learn how to implement custom authentication in your Flutter application using Logto Flutter SDK.

Learn how to integrate Logto with Supabase to enhance the authentication experience for your applications.

In this article, we introduced how to secure your Cloudflare Workers APIs with Logto. We used Hono as the web application framework to streamline development.

We are excited to share the latest updates to compliance and new features. It was a productive month for the Logto team, so make sure you have brewed your favorite coffee before diving in.

A second part of the series on integrating Logto with WordPress, focusing on authorization.

A step-by-step guide to help you integrate Webflow with Logto.

We recently refreshed our company's website. This blog post details the tools and methods we used to improve our website.

Explores the key fields and practical applications of OpenID Connect configuration.

This comprehensive guide outlines the steps involved in integrating Logto with Hasura's JWT mode access control, effectively bolstering data security.

The Resource Owner Password Credentials (ROPC) grant type is a legacy OAuth 2.0 flow that poses security risks and should be deprecated. In this post, we will indicate why you should avoid using ROPC on your applications.

In this article, we will introduce how to use Logto custom JWT claims feature to improve the flexibility of authorization and the performance of the service provider through a real-world example.

Fixing security vulnerabilities may be a frustrating task, especially when it involves transitive dependencies. Learn how to upgrade them without affecting your direct dependencies.

Practices and insights on implementing an invitation and role access management feature like Logto Cloud collaboration in a multi-tenant application.

A hands-on guide and example to integrate WordPress with Logto.

Learn how to integrate Microsoft Entra ID (OIDC) SSO using Logto.

Use Logto as an OpenID Connect identity provider to build your app ecosystem; add authentication with two inputs with Protected App; and new guides for Blazor, SvelteKit, Nuxt.js, Expo (React Native), and Angular.

Explore different business models that Logto can support your specific requirements and help you architect your product effectively.

Single sign-on (SSO) is a great way to simplify user authentication and authorization. But which SSO method should you choose? In this post, we give you a brief overview of two popular SSO methods: SAML and OpenID Connect.

Explores the use of client assertion in OAuth 2.0 client authentication.

Learn how to monetize your Chrome extension by adding user authentication to it.

Contrasts auth & user data. Details Logto's secure storage & movement. Outlines data flow best practices (attribute mappings, data syncing, custom JWTs).

Incident report for the 2024-03-18 unexpected JWT `iss` change.

Learn how to integrate Azure SAML SSO using Logto in minutes.

OIDC prompt is a parameter that can be used to control the behavior of the authentication flow. This blog post explains how OIDC prompt works and which one to use in different scenarios.

This blog post introduces the basic concepts of both token-based authentication and session-based authentication, with their pros and cons. This could help readers to choose the proper authentication scheme for their application.

This blog post aims to shed light on the relationship between OIDC resource indicators and their role in obtaining access tokens.

The story behind Protected App.

Learn how to build a user authentication flow with Angular by integrating Angular OIDC client library.

Explore the simplicity of implementing multi-tenancy for your applications using Postgres.

Explore the versatile authorization system of Logto.

Learn how to build a user authentication flow with Nuxt by integrating Logto SDK.

Learn how to build a user authentication flow with SvelteKit by integrating Logto SDK.

Learn how to build a user authentication flow with Expo (React Native) by integrating Logto SDK.

Use Logto as an OpenID Connect identity provider to build your app ecosystem; add authentication with two inputs with Protected App; and new guides for Blazor, SvelteKit, Nuxt.js, Expo (React Native), and Angular.

This article reveals the differences between public and confidential clients in OAuth, with Logto applications as example.

Logto can be used as an identity provider for your third-party applications. This article explains how to configure Logto as an IdP.

Logto vs. Auth0 is always an interesting topic. In this article, we've shifted and updated our product vision and explained our new, specific, and sharp perspectives about what sets our product apart from Auth0.

What is the user consent screen and how does it work? This article explains the basics ideas behind the user consent screen and how it should be used.

Build a personalized experience for your users right in your GPT. This tutorial shows you how to use OAuth to create a personal agenda assistant GPT.

Discover key concepts and common use cases for API key, Personal Access Token (PAT), and Logto Machine-to-Machine (M2M) credentials.

A hands-on guide to setting up Google Cloud Storage as the file storage of Logto.

Discover key concepts and common use cases for integrating both first-party and third-party apps using Logto as your identity provider.

Incident report for the Logto service outage on 2024-01-11 due to domain renewal failure.

Single sign-on (SSO) is a great way to simplify the authentication model and improve the user experience for every app. Here's why.

Learn how to integrate Google Workspace SSO with your application in minutes.

In this article, we introduced the implicit flow and authorization code flow within the OAuth 2.0 protocol, explaining the security vulnerabilities present in the implicit flow and how the authorization code flow (along with PKCE) addresses these issues.

We're excited to announce updates to our Logto plan packages!

This article introduces how to use Cloudflare Tunnel to achieve HTTPS and custom hostname for painless local debugging.

Learn how to use Logto Management API for your application in different scenarios.

Creating a multi-tenant application can be complex. This article gathers all our past posts about multi-tenant and organization strategies. We hope it can help you save time and get started easily.

Learn how to integrate Okta SSO with your application in minutes.

Incident report for the Logto service outage on 2023-12-17 due to loss of production Docker image.

Open standards such as OpenID Connect and OAuth 2.0 are the foundation of modern identity management. Today we'll look at why they're so important.

In this article, we provide an overview of the SAML and OIDC protocols, along with their typical authentication flows. We compare the distinct differences, pros and cons of each protocol. Additionally, based on potential user scenarios, we offer guidance on choosing between these two protocols.

In this post, we are going to explore the importance of the "iat" claim in the ID token and how to troubleshoot the "Invalid issued at time in ID token" error.

Enterprise SSO is designed to support any SAML and OIDC connection, offering the simplest configuration and powered by Logto.

Logto has released Enterprise SSO, supporting easy integration with any IdP using SAML or OIDC, complemented by a step-by-step guide and ready-to-use authentication flows.

This article explores OAuth 2.0 device flow, a solution for identity authentication on devices that either lack a browser to perform a user-agent-based authorization or are input constrained, outlining its purpose and user interaction flow.

A hands-on guide and example to integrate Passport.js with Logto.

Single sign-on (SSO) is a method of authentication that allows a user to access multiple applications or services with a single set of login credentials. This article will explain what SSO is, how it works, and why it's important for businesses.

Take a look at how we designed Logto's multi-tenancy model and the benefits it brings to SaaS apps.

Learn how to set up a solid and scalable identity foundation for multi-tenancy with Logto Organizations.

Learn how to use Logto organizations to build the identity infrastructure for your SaaS app.

This article provides a detailed guide on how to design an authorization model for organization and role-based access control, and offers best practices for different authorization models in the Logto platform.

Discover the latest features and improvements that we have been working on from the previous period.

A hands-on guide to implementing WebAuthn in Next.js with live code examples.

Discover the latest features and improvements that we have been working on from the previous period.

Learn how to integrate MFA into your sign-in experience with one-click.

Learn how to leverage OAuth 2.0 and JWT to secure your API resources for machine-to-machine communication.

Social engineering is the art of manipulating people so they give up confidential information. Every cyber crime starts with a social engineering attack. Let's have a look at how it works and how to protect yourself from it.

Tenant isolation is a key concept in multi-tenant applications. In this article, we'll discuss what it is and how it can be achieved.

Let's take a closer look at the redirect URI as it's crucial for app developers and system administrators.

Learn the basics of module augmentation in TypeScript, and how to add type definitions for nested JavaScript files.

This article introduces how to enhance the security of your Node.js app by integrating authenticator app verification such as Google Authenticator and Microsoft Authenticator.

Gain a comprehensive understanding of WebAuthn, including its concept, workflow, reasons for its popularity, and associated challenges.

Introduce some basic concepts of WebAuthn, aiming to help you make better decisions when integrating WebAuthn.

Should all SaaS apps employ multi-tenancy architectures? Can multi-tenancy architectures be applied to consumer apps?

In this article, we will explore three common API authorization mechanisms, API keys, basic authentication, and OAuth JWT tokens. In the end, we will also talk about how Logto can help you protect your APIs using OAuth JWT tokens.

Learn the benefits of incorporating an identity solution from the beginning of your product development.

Learn the essentials of asymmetric encryption, and understand the pros and cons of the two popular JWT signing key algorithms - EC and RSA.

In this article, we have introduced the concepts of public keys, private keys, and the principles of asymmetric encryption. We have compared their pros and cons against symmetric encryption, as well as the differences in their usage scenarios.

Learn what service provider-initiated (SP-initiated) single sign-on (SSO) is and how it can help your business-to-business (B2B) product.

Integrates Logto auth to your Next.js application using Server Actions.

This article provides a quick guide to writing efficient end-to-end tests with jest-puppeteer, emphasizing the setup process, commonly used APIs, and practical testing scenarios using a simple to-do app as an example.

Taking a deeper dive into the notion of "multi-tenancy" and sharing our insights on how we perceive it.

This guide will show you how to authenticate with Logto in your Single Page Application (SPA) tests.

Gain a clear understanding of JSON Web Token (JWT) fundamentals in 5 minutes.

This article introduces how to utilize existing tools to migrate previous user data to Logto, in the situation where Logto has not yet provided data migration services.

Learn the essentials of OpenID Connect (OIDC) grants, and how to troubleshoot the "invalid_grant" error.

Learn how to protect your Express.js API endpoints with JSON Web Tokens (JWT) and Logto.

Discover the latest features and improvements that we have been working on from the previous period.

Gain insights into crafting product password policies that are compliant, secure, and user-friendly, with Logto ensuring the security of your authentication process.

Deep into the transition experience of crypto to Web Crypto API, providing a comprehensive guide focusing on 3 commonly scenarios.

This article explains why JWT is widely adopted as the format for access tokens in OAuth 2.0, highlighting its benefits and limitations.

As creators of developer tools, we frequently discuss the notion of "developer experience." This term is akin to "user experience" but can appear hazy and abstract. So, what precisely does it entail?

Discover the latest features and improvements that we have been working on from the previous period.

Learn how to build a user authentication flow with ASP.NET Core by integrating Logto SDK.

Learn how to integrate Azure AD SSO with Logto using standard SAML connector.

How can we quickly learn a new programming language? In this article, we'll share our weekend experience of learning Python by building a complete project.

Dive in and let's talk about why refresh token rotation is an effective way to protect the safety of your refresh tokens.

In this article, we have presented several classic methods for cracking passwords, along with the underlying principles behind these approaches. Addressing these concepts, we have provided practices from both the perspective of password custodians and account owners on how to enhance the security of passwords.

Deconstructing Multi-Factor Authentication (MFA) through an analysis of its core components, user processes, and essential guiding principles.

Using Next.js new feature Server Actions to implement cookie-based stateless session, and experiencing the benifits of Server Actions.

How to determine whether it's necessary to develop a new feature.

The OpenID Connect (OIDC) Protocol, has emerged as a widely adopted standard for identity management. But do you really understand the roles and attributes of these tokens?

The concept of 'tenant' is relatively unfamiliar to most users, but it is especially important for building identity models. In this article, we will go through examples to help everyone understand what kind of identity model suits their business.

Logto offers a variety of SDKs for different platforms. Apart from our official SDKs, we encourage developers from the community to create their own user-friendly SDKs. This article will guide you on building a basic client-side SDK for OIDC.

Explore email types and factors affecting delivery in auth scenarios. Easily integrate popular email delivery service with sign-in experience, or choose the free email delivery solution without any configuration provided by Logto.

Tracking DAU and MAU in high-traffic sites is a challenging task. This article describes how we solved this problem at Logto.

In this tutorial, we will demonstrate how to build the authentication flow with Logto in Capacitor. This will enable you to create cross-platform sign-in and sign-up flows with ease.

This article explains how PKCE protects the authorization code flow for native apps, using unique code verifiers and code challenges to prevent potential attacks.

Our customers often ask us what makes us different from Auth0. In this article, we'll explain the key details and share some strong opinions about what sets our product apart from Auth0 and other alternatives.

As we gear up for the official launch, I want to assure you of a smooth transition. Your experience with Logto Cloud will be seamless, and here are some things you can expect.

With the arrival of the era of multi-device collaboration, does your app support collaboration across devices? If not, what problems are you facing? In this article, we will explore how an app can take the first step to adapt to cross-device collaboration by allowing signing in to multiple devices.

At Logto, we prioritize the utmost security measures to protect your data and ensure your trust in our services.

You may heard of advices for choosing password hashing algorithms, but did you think why they are recommended? In this article, we will explore the evolution of password hashing algorithms and the reasons behind them.

The story of how we support an array of diverse connectors with both good user experience and development experience. With the help of config driven development, we made a low-code connectors platform.

This article provides four tips for remote work from the real experience as a full-time employee of Logto.

We have published the sign-in experience Figma resources to public, including comprehensive authentication flow designs and versatile styles and components.

Our pricing model is not just about revenue generation. We’re eager to share how we’ve designed it to address the unseen challenges startups face.

As a developer-centric product, we greatly value the feedback and contributions from our community, constantly striving to establish a healthy and self-sustainable environment. Discover our ongoing community management journey in the post.

A recent experience with a company worth billions of dollars showed a negative example of how even a common and fundamental user requirement can be mishandled.

Building user identity is a critical component of any application. Validating usernames and passwords may seem like the simplest approach, but there are many other aspects to consider.

Discover the latest improvements from Logto for tiered pricing, custom domains, and more.

Increase conversions, enhance data quality, and improve user retention with social login (social sign-in)! This article explores its benefits and offers user-friendly design tips with comparative case studies.

React Router is a popular library for managing routing in React applications. However, a recent change has displayed a level of arbitrariness and laziness that may negatively impact developers who seek robust type checking.

In this article, we will demonstrate how to use OAuth `scope` for authorization in ChatGPT plugins.

When it comes to OAuth, it is crucial to prioritize security and fraud protection. One can never be too careful in safeguarding sensitive information. How well-versed are you in the protective measures employed by OAuth? Does your system adhere to the open standard of OAuth? Are you mindful of the potential risks that may arise during the implementation of the user authentication flow? Let's briefly recap what we have learned about OAuth.

This article shares the experience of using the ChatGPT API to efficiently support internationalization (i18n) of products, providing tips on integrating the API, improving translation results, and optimizing instructions for better outcomes.

Edge Runtime has become a buzzword in the technology landscape, Vercel and its Next.js framework have recently added support for it. Logto's Next.js SDK is now supporting Edge Runtime as well. In this article, we're going to share our adventure, looking at the hurdles we faced, how we overcame them, and the cool stuff we learned along the way.

Logto offers a pay-as-you-go and usage-based pricing model with a transparent measurement of Monthly Active Users (MAU).

Logto product updates for May 2023

Last year, there were news articles circulating on the internet claiming that big tech companies were joining forces to eliminate passwords. Some startups even declared that passwords were obsolete and outdated.

Our community has expressed interest in using Logto as an Identity Provider for certain products, such as Outline or ChatGPT plugins. In theory, Logto can serve as an OAuth or OIDC (OpenID Connect) provider as long as the product you want to integrate supports either of these protocols.

In this article, we will demonstrate how to use Logto as an OAuth identity provider for ChatGPT plugins.

ChatGPT plugins are now available to all Plus members. Although still in beta, these plugins hold great potential for AI-powered apps, as they seamlessly integrate with your business directly within the chat interface.

In this article, we will demonstrate how to use Logto as an OpenID Connect (OIDC) identity provider for Outline.

This article details the process of migrating Logto's Next.js SDK sample project to the new Next.js 13 App Router, covering the steps of creating new pages and layouts, transitioning API routes, and utilizing server and client components.

This article is here to help you develop a secure and scalable identity system for your multi-app business. We will cover best practices, key factors to consider, and provide quick-start guides to get you started on the right track.

Logto product updates for April 2023

This article offers a comprehensive guide on mastering Role-Based Access Control (RBAC) in Logto, using a real-world example of an online bookstore to explore key user roles, scopes, and integrating Logto's RBAC features in frontend and backend applications for enhanced security and access control.

In this article, we demonstrate how Logto can mitigate certain frustrating user sign-in/up scenarios by presenting a real-life use case of Thomas, who had trouble signing in to the W app.

Logto product updates for March 2023

Logto Cloud (Preview) has launched on Product Hunt. Come and support us!

Logto product updates for February 2023 (extended)

I’ve seen a lot of developers asking questions like “Should I build my own auth for my app?”. While the answer cannot be a simple "Yes" or "No", I’d like to write an article to breakdown the implementation and demonstrate the pros and cons to help you decide.

Organization and Tenant are great for grouping Identities, but they lead to an absolute democracy: everyone can do anything in this system. While utopia is still a mystery, let’s take a look at the governance of access: Authorization (AuthZ).

Logto product updates for February 2023

Logto product updates for January 2023

In the previous piece, we discussed the development of the Sign-in Experience, and what makes a positive end-user encounter, and we ended on some thought-provoking topics. In this article, we'll answer these questions and show you how the Logto Admin Console can help.

Logto started with the CIAM for various reasons (we’ll have another article talking about this). During development, we realized that building a unified understanding across the team would be beneficial before taking our product to the next level. We hope this will also help you gain a better grasp of the IAM landscape.

In this article, we'll go over the history of Sign-in Experience, including its conception, design decisions, and product tradeoffs. You will also gain a better grasp of how to construct a successful and frictionless sign-in or sign-up experience.

In this article, we’ll focus on connecting Logto and Hasura, which enables you to implement authentication, authorization, and GraphQL APIs without friction. Thus you can quickly jump into your business without rocket-science learning.

In this article, I won’t compare monorepo and polyrepo since it’s all about philosophy. Instead, I’ll focus on the building and evolving experience and assume you are familiar with the JS/TS ecosystem.