Logto product update: Compliance status, custom JWT, API resources for organization roles, and more

May 15, 20244 min read
Logto product update: Compliance status, custom JWT, API resources for organization roles, and more

Compliance status

Logto Cloud now passes all SOC 2 checks from the compliance automation platform. We've scheduled a SOC 2 Type I audit and are working towards a SOC 2 Type II audit.

Custom JWT

JWT access tokens can now be customized with additional claims using custom JavaScript code snippets. This feature is useful when you need to include custom data in the token for compatibility with other systems.

To use this feature, navigate to the "Custom JWT" tab in the Console. Both user and machine-to-machine (M2M) tokens can be customized.

Custom JWT page

Before deploying the changes, you can use the "Run test" button to see how the token will look with the custom claims.

See 🎫 Custom JWT claims for more information.

In Logto Cloud, every custom JWT code run is in an isolated serverless environment. This ensures the custom code does not interfere with the rest of the Logto services and users.

In the open-source version, the code for custom JWT will run in the same environment as the rest of the Logto code. Be careful when adding custom code to the JWT, as it can introduce security vulnerabilities.

API resources for organization roles

You can now assign permissions (scopes) from the API resources to organization roles. Like other permissions in the organization template, these permissions are organization-level, meaning that they only apply to a specific organization.

Assign API permissions to an organization role

Let's see an example:

  • There is an API resource called https://shopping.api/.
  • The API resource has two scopes: read and write.
  • There are two organization roles: admin and user.
  • The admin role has both read and write scopes; the user role has only the read scope.
  • A user Alice is assigned the admin role in the organization foo, and the user role in the organization bar.

When Alice tries to exchange an organization token for the https://shopping.api/ resource, she will receive a token with scopes based on which organization she is requesting the token for.

For the foo organization, Alice will receive a token with both read and write scopes. For the bar organization, she will receive a token with only the read scope.

See 🏢 Organizations (Multi-tenancy) for a comprehensive introduction to organizations.

Third-party app permissions

Organizational API resources can also be used when configuring permissions for third-party apps. User will be prompted to select an organization when configuring permissions for a third-party app.

Third party consent page

Organization custom data

Now you can save additional data associated with the organization with the organization-level customData field by:

  • Editing in the Console organization details page.
  • Specifying the customData field when using organization Management APIs.


  • Added Hugging Face connector.
  • GitHub connector now has the user:email as part of default scope to fetch GitHub account's private email address list.
    • It now picks the verified primary email among private email address list as a fallback if the user does not set a public email for GitHub account.
  • Removed the plus sign in front of the phone number in the feishu connector (#5801). Credit @kamto7.


  • Added support for Redis Cluster and extra TLS options for Redis connections (#5619). Credit @alekitto.
  • OIDC and OAuth 2 connectors now support client_secret_basic and client_secret_jwt client authentication methods for the token endpoint.
  • When a user is deleted or suspended through Management API, they will be signed out in Logto and their sessions will be invalidated immediately.
  • Support comma separated resource parameter as some libraries do not support array of resources.
  • Added an API to fetch user organization scopes based on user organization roles (
    GET /api/organizations/:id/users/:userId/scopes
  • Added Java Spring Boot web integration guide.
  • Added zh-cn phrases in OIDC consent page (#5606). Credit @the-pawn-2017.


  • Organization invitation APIs should handle invitee emails case insensitively.
  • Management API will not return 500 in production for status codes that are not listed in the OpenAPI spec.
  • Return 403 instead of 400 when Logto tries to grant an access token to a user lacking the required permissions, especially when granting for organization related resources.
  • Fixed the wrong social sign-in callback that posts to the native container (e.g. WKWebView in iOS).
  • Fixed the new user from SSO register hook event not triggering bug.
  • Fixed a bug that API resource indicator does not work if the indicator is not followed by a trailing slash or a pathname.