Logto product updates

We're excited to announce Logto v1.38.0, our March 2026 release! This update adds device flow for input-limited apps, introduces passkey sign-in and adaptive MFA improvements, and expands session, grant, and tenant-level configuration controls across Logto.

Device flow for input-limited apps#

One of the biggest additions in this release is support for OAuth 2.0 Device Authorization Grant. This makes it much easier to build authentication flows for devices that do not have a full keyboard or browser experience, such as smart TVs, CLI tools, gaming consoles, and IoT devices.

With device flow, users can:

• Start sign-in on the device
• Open a verification URL on another device
• Enter a short user code
• Complete authentication there
• Return to the original device with tokens issued

We also added full Console support for device flow applications. You can now create device flow apps by selecting Input-limited app / CLI under Native apps, or by choosing Device flow as the authorization flow when creating an app manually. The application settings page also includes a built-in guide and demo to help you get started.

Passkey sign-in becomes a first-class flow#

This release introduces passkey sign-in as a full authentication method in Logto.

Passkey sign-in provides a faster, passwordless experience for returning users while also improving account security. It works with familiar platform authenticators such as Face ID, Touch ID, and Windows Hello.

We added support for several passkey-based user journeys:

• A dedicated Continue with passkey button for immediate sign-in
• An identifier-first flow that prioritizes passkey verification before falling back to password or verification code
• Browser autofill support so users can pick a saved passkey directly from the identifier input
• Passkey binding during registration for new users
• Reusing an existing WebAuthn MFA credential for passkey sign-in without another registration step

For more details, check out our passkey sign-in documentation.

Adaptive MFA and better MFA guidance#

This release continues our investment in modern MFA experiences with two major improvements.

Adaptive MFA#

Adaptive MFA is now supported in Logto. When enabled, the sign-in flow evaluates adaptive MFA rules against the current sign-in context and requires MFA when those rules are triggered.

This also includes:

• Adaptive MFA configuration in Console
• Persisted sign-in context in interaction data
• Access to context.interaction.signInContext in custom-claims scripts
• A new PostSignInAdaptiveMfaTriggered webhook event

Optional MFA onboarding#

For users who are not required to set up MFA, Logto can now show a dedicated onboarding page after credential verification, asking whether they want to enable MFA for better protection.

This is especially useful alongside passkey sign-in, where a user may want to use passkeys for sign-in without necessarily enabling them as an MFA factor at the same time.

Session and grant management across APIs and Console#

This release adds a major set of account and admin controls around user sessions and authorized applications.

User session management#

Logto now supports session management in both account APIs and management APIs. You can list active sessions, inspect session details, and revoke sessions with optional grant revocation behavior.

We also introduced:

• A new session permission in Account Center settings with off, readOnly, and edit options
• A new urn:logto:scope:sessions user scope for session-related account API access
• Richer session context including IP, user agent, and GEO location when available

On the Console side, user details now include an Active sessions section and a dedicated session details page with revoke support.

Authorized application grant management#

Logto now supports listing and revoking user application grants in both the account and management APIs.

This release also adds an Authorized third-party apps section on the user details page in Console. Admins can now see active third-party authorizations, review metadata such as app name and creation time, and revoke access directly from the UI.

App-level concurrent device limits#

Applications can now define a maxAllowedGrants value in customClientMetadata to limit how many active grants a user can keep for a specific app. Once the configured limit is exceeded, Logto automatically revokes the oldest grants.

Console also includes a new Concurrent device limit section in application details so this can be configured visually.

More OSS controls for OIDC settings#

For OSS users, this release makes OIDC settings more configurable and easier to manage.

You can now define oidc.session.ttl in logto-config to customize the OIDC provider session TTL in seconds. If unset, the default remains 14 days.

We also added:

• GET /api/configs/oidc/session
• PATCH /api/configs/oidc/session

On the Console side, OSS now gets a new Tenant -> Settings page, with an OIDC settings tab that replaces the old Signing keys page. The new page also includes a Session maximum time to live field for configuring session TTL in days.

If you are running OSS, remember to restart the service after config changes so the new OIDC settings are loaded. If you want config updates to take effect automatically, consider enabling central Redis cache.

Account Center improvements#

The out-of-the-box Account Center also gets several useful upgrades in this release.

Users can now:

• Replace their authenticator app through a dedicated /authenticator-app/replace route
• Use the identifier URL parameter to pre-fill identifier fields
• Override the built-in Account Center language with the ui_locales URL parameter

We also improved password forms for better browser autofill and password manager compatibility.

Developer-focused API improvements#

For teams migrating users into Logto, the GET /users and GET /users/:userId endpoints now support an includePasswordHash query parameter. When enabled, the response includes passwordDigest and passwordAlgorithm, which can help with migration workflows that need raw password hash data.

We also added support for access token exchange in service-to-service delegation scenarios. Logto can now exchange opaque or JWT access tokens for new access tokens with different audiences using the standard urn:ietf:params:oauth:token-type:access_token token type.

Bug fixes#

This release also includes several stability and compatibility improvements:

• MFA verification routes for TOTP, WebAuthn, and backup codes now report activity to Sentinel, making repeated failures easier to detect and isolate.
• OIDC adapter queries for findByUid and findByUserCode now use literal JSONB keys so expression indexes can work better under prepared generic plans.
• Postgres pool initialization now retries on transient startup connection errors.
• Legacy password verification now supports hex:-prefixed PBKDF2 salt values during user import.
• Token exchange performance is improved by caching minimal OIDC resource lookups and pre-generating grant IDs during token issuance.
• Twilio SMS To formatting is now normalized for non-E.164 numbers by ensuring a leading +.

Breaking changes#

This release includes a connector toolkit breaking change.

The long-deprecated mockSmsVerificationCodeFileName export has been removed from @logto/connector-kit.

We also updated the file paths used by mock connectors to store sent message records:

• /tmp/logto_mock_email_record.txt -> /tmp/logto/mock_email_record.txt
• /tmp/logto_mock_sms_record.txt -> /tmp/logto/mock_sms_record.txt

If your local or Docker-based workflows depend on the old paths, you will need to update them.

New contributors#

Thanks to our new contributors for helping improve Logto:

• @taka-guevara made their first contribution in #8555
• @synchrone made their first contribution in #8504
• @ppotaczek and @leoshusar made their first contribution in #8526

Get started#

Ready to upgrade? Check out our upgrade guide for step-by-step instructions.

For the complete list of changes, see the GitHub release page.

Have questions or feedback? Join us on Discord or open an issue on GitHub.