Logto

Logto is an open-source Customer Identity and Access Management (CIAM) platform providing OIDC-compliant authentication, built-in social login connectors (20+ providers), multi-tenancy, RBAC, and SDKs for 20+ platforms — available as self-hosted or Logto Cloud with a built-in admin UI.

Evaluated Mar 06, 2026 (0d ago) vv1.18.x
Homepage ↗ Repo ↗ Security auth ciam identity oidc oauth2 saml rbac multi-tenancy self-hosted social-login
⚙ Agent Friendliness
60
/ 100
Can an agent use this?
🔒 Security
89
/ 100
Is it safe for agents?
⚡ Reliability
79
/ 100
Does it work consistently?

Score Breakdown

⚙ Agent Friendliness

MCP Quality
--
Documentation
85
Error Messages
80
Auth Simplicity
72
Rate Limits
80

🔒 Security

TLS Enforcement
98
Auth Strength
90
Scope Granularity
85
Dep. Hygiene
85
Secret Handling
88

Logto enforces HTTPS, uses argon2id for password hashing, supports MFA (TOTP + backup codes), and implements PKCE for all public clients. Management API secrets must be stored securely; rotating M2M credentials is a manual process.

⚡ Reliability

Uptime/SLA
80
Version Stability
78
Breaking Changes
75
Error Recovery
82
AF Security Reliability

Best When

You need a developer-friendly, open-source CIAM with social login, multi-tenancy, and SDKs out of the box, and want to avoid building authentication infrastructure from scratch.

Avoid When

You need deep enterprise SAML federation, complex attribute-based access control, or a fully managed service with a guaranteed SLA above 99.9% without operational involvement.

Use Cases

  • Integrate user authentication with Google, GitHub, Microsoft, or any OIDC provider in minutes using Logto's pre-built social connectors and SDK for your platform (React, Next.js, Python, Node, etc.)
  • Implement multi-tenant SaaS authentication where each organization has isolated user pools, roles, and OIDC configurations — managed via Logto's Organizations API
  • Define and enforce RBAC policies by creating roles and permissions in the Logto admin console and verifying scopes in access tokens issued to users and machine-to-machine clients
  • Provision machine-to-machine (M2M) application credentials for agent services via the Management API, issuing scoped Client Credentials tokens for inter-service authentication
  • Customize the sign-in experience (branding, color, logo, custom domain, custom CSS) via the Admin Console without touching authentication logic code

Not For

  • Fine-grained resource-level authorization (row-level security, relationship-based access) — Logto provides role/scope RBAC only; use OpenFGA for Zanzibar-style authz
  • Complex enterprise SAML federation with legacy IdPs requiring deep SAML attribute mapping — Logto's SAML support is growing but not as mature as commercial IAM platforms
  • High-volume token issuance at millions of requests per second on the free cloud tier — Logto Cloud free tier has MAU and rate limits; self-hosted removes these but requires operational investment

Interface

REST API
Yes
GraphQL
No
gRPC
No
MCP Server
No
SDK
Yes
Webhooks
Yes
OpenAPI Spec ↗

Authentication

Methods: api_key bearer_token client_credentials
OAuth: Yes Scopes: Yes

Management API requires a machine-to-machine app with Client Credentials grant and the appropriate management API resource/scopes. User-facing APIs use OIDC Bearer tokens. Admin Console uses session-based auth.

Pricing

Model: open_source
Free tier: Yes
Requires CC: No

Self-hosted (open source, Apache 2.0) is free with no MAU limits. Logto Cloud Free tier is generous for development and small apps. Pro tier adds advanced features and higher limits.

Agent Metadata

Pagination
offset
Idempotent
Partial
Retry Guidance
Documented

Known Gotchas

  • Management API access requires a machine-to-machine application with the Logto Management API resource explicitly added as an authorized resource — this is separate from regular OIDC app creation and is a common setup mistake
  • RBAC scopes must be explicitly requested in the authorization request AND configured in the application's allowed scopes; tokens silently omit unrequested or unconfigured scopes without an error
  • Webhook event delivery is at-least-once with no built-in deduplication — agents consuming Logto webhooks must implement idempotency using the hookId and event timestamp as a compound deduplication key
  • Multi-tenant organization membership changes (adding/removing users from organizations) via API take effect immediately but cached OIDC tokens retain the old organization claims until they expire — agents must account for up to token TTL delay in permission changes
  • Social connector token storage: Logto stores social provider access tokens internally but does not expose them via Management API; agents that need to call social provider APIs on behalf of users must implement their own token storage after the OAuth callback

Alternatives

ory-kratos-api ory-hydra-api openfga-api

Full Evaluation Report

Detailed scoring breakdown, competitive positioning, security analysis, and improvement recommendations for Logto.

$99
API endpoint ↗ Agent guide ↗ Report inaccuracy

Scores are editorial opinions as of 2026-03-06.

5208
Packages Evaluated
26151
Need Evaluation
173
Need Re-evaluation
Community Powered