Logto Roadmap | Productlane

Requests

Discover our plans and suggest new improvements.

started

Optional sign-up identifiers for social sign-in

Allow users to sign in with social providers without being required to provide additional sign-up identifiers (e.g., email or phone).

In Progress

Account center: security & custom CSS

Integrate fully featured security settings (e.g., update identifier, password, MFA) for end-users with prebuilt UI.

Planned

Username policies

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

SCIM API

System for cross-domain identity management APIs.

Guest mode: Anonymous access

Allow anonymous access with the option to upgrade to registered accounts.

Password reset with magic link

Extends one-time token functionality to support the password reset scenario.

Account API audit logs

Track all end-user activities performed through the Account API, including identifier, password, MFA, and profile updates.

Adaptive MFA v2: Context-aware MFA rules

Define flexible rules to require or bypass MFA based on IP, users, organizations, roles, apps, etc.

OAuth Client ID Metadata Documents

Support OAuth CIMD for URL-based client IDs, simplifying integration for AI agents and MCP.

User role change webhook event

Invokes your API whenever a user’s role or organization role changes.

Logto CLI

Standalone CLI wrapping Management API with auto-generated commands from OpenAPI spec, OAuth + M2M auth, targeting coding agents and Logto Cloud users.

App-level access control

Restrict access to specific applications for designated users.

Password force reset policy

Currently under consideration.

MFA: Trusted device

Reduce repeat MFA prompts by allowing users to mark a device as trusted for a defined period.

Backlog

Account center elements

A set of framework-agnostic web components that can interact with Account API.

API authentication

Authenticate users via API. No redirect needed.

RBAC as code

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

Organization portal

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

Authentication policy

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

Sign-in experience elements

A set of framework-agnostic web components that can interact with Experience API.

Single sign-on application dashboard

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

Custom content blocks in sign-in experience

Insert custom text, links, and images into the default sign-in and sign-up pages.

Logto Management API key

Generate a secure key for programmatic access to the Logto Management API

Attribute-based access control (ABAC)

Define dynamic access policies using user or resource attributes for context-aware security.

Just-in-time user migration

Migrate users from your legacy system to Logto only when they sign in.

Email allowlist

Allow admins to define a list of email domains or addresses that can register.

Google One Tap for websites

Add Google One Tap to your website and authenticate users through Logto.

Custom claims for ID tokens

Add custom claims to ID tokens using JavaScript code snippet.

Support Dynamic Client Registration

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Registration from forgot password

Directly register via forgot password instead of prompting for another round of verification.

Support machine-to-machine access policy

Limit access by IP address, user agent, and other policies.

Support CIBA flow

Support Client Initiated Backchannel Authentication (CIBA) Flow.

Unverified SSO email verification

Allow verification code flow for SSO-provided unverified emails.

Unverified email/phone number

Skip verifying email/phone number during sign-up.

Support WebAuthn for mobile SDK

Enhance native iOS and Android SDKs to use the system browser instead of a webview, enabling full WebAuthn support.

Support localization parameter in content URLs

Allow specifying a localization parameter in privacy policy and terms of use URLs.

Allow concurrent Google Workspace and social login

Option to allow both Google Workspace and Google social logins for the same account.

M2M authentication IP allowlist

Restrict access to machine-to-machine applications only from allowed IP addresses or CIDR ranges.

Country code restrictions for phone input

Limit selectable country codes in the phone number field to support region-specific apps

Minimum age limit for sign-up

Configure a mandatory minimum age for the birthdate sign-up field to ensure compliance

Support Central Authentication Service protocol

Currently under review

Support OIDC "select_account" prompt

Currently under review

i18n for custom content

Add translations for custom content (e.g., consent screen permissions, user profile collection).

Customize account existence visibility

Show whether the account exists before code verification during sign-in or sign-up.

Completed

Session management

Managing user sessions with multi-device session tracking, session controls, etc.

Passkey as a first authentication factor

Support passwordless authentication with passkey sign-in

Profile fulfillment

Collect mandatory and optional profile fields during user registration.

Out-of-the-box account settings

Instantly integrate account setting flows (e.g., update email, password, MFA) with a prebuilt UI into your app.

Adaptive MFA

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Redirect URI wildcards

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

OAuth 2.0 device flow

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Multiple custom domains

Support multiple custom domains and render different sign-in experience brandings according to the domain.

SAML IdP

Use Logto as a SAML identity provider.

Account API

A set of APIs and rules that allow end-users to update their identifiers and profile.

Block disposable email registration

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

Captcha support

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Dev to Pro plan production tenant

Directly convert Dev tenant to a Pro tenant.

Customize session TTL & concurrent grant limits

Enable overriding the default Logto session timeout and configure limits on concurrent sign-in devices.

Prevent search engine indexing

Provide an option to emit a noindex meta tag or X-Robots-Tag response header for sign-in pages.

Magic link

One-time token for organization member invitation, user invitation, password recovering, etc.

Account API for MFA

Allow end users to update, delete, and verify TOTP via Account API.

Typed library for Management API

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Hide Logto branding

Remove "Powered by Logto" to spotlight your brand exclusively on the sign-in experience.

Secret vault

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Connectors: Sync unverified email

Choose whether to sync unverified emails from social or enterprise identity providers via OIDC.

Add custom data to ID token

Add custom user data to the ID token so clients can access identity details instantly

Sign-up capability improvement

Multiple sign-up identifiers (e.g., email & username) and other improvements

Set up MFA for Logto Cloud

Manage MFA (passkeys, authenticator apps, backup codes) in your Logto Cloud console profile.

Account API for Passkey

Custom CSS per organization

Customize organization's sign-in experience with exclusive logo, favicon, colors, and custom CSS.

Console UI for Account API

Directly manage access permissions for Account API in the console.

Add `ui_locales` authentication parameter

Use ui_locales to adjust the sign-in locale dynamically and expose it to email templates.

IdP-initiated SAML SSO

Currently under consideration.

Call third-party APIs with secret vault

Store and retrieve 'access and refresh tokens' from social providers (e.g., Google) for API access.

Customize identifier lockout policy

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.

Third-party app for SPA & Native

Currently under consideration.

Include IP address in HTTP SMS connector

Add the client IP address to the payload to enable IP-based rate limiting and reduce abuse.

WordPress plugin integration

Currently under consideration.

Requests

Discover our plans and suggest new improvements.

started

Optional sign-up identifiers for social sign-in

Allow users to sign in with social providers without being required to provide additional sign-up identifiers (e.g., email or phone).

In Progress

Account center: security & custom CSS

Integrate fully featured security settings (e.g., update identifier, password, MFA) for end-users with prebuilt UI.

Planned

Username policies

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

SCIM API

System for cross-domain identity management APIs.

Guest mode: Anonymous access

Allow anonymous access with the option to upgrade to registered accounts.

Password reset with magic link

Extends one-time token functionality to support the password reset scenario.

Account API audit logs

Track all end-user activities performed through the Account API, including identifier, password, MFA, and profile updates.

Adaptive MFA v2: Context-aware MFA rules

Define flexible rules to require or bypass MFA based on IP, users, organizations, roles, apps, etc.

OAuth Client ID Metadata Documents

Support OAuth CIMD for URL-based client IDs, simplifying integration for AI agents and MCP.

User role change webhook event

Invokes your API whenever a user’s role or organization role changes.

Logto CLI

Standalone CLI wrapping Management API with auto-generated commands from OpenAPI spec, OAuth + M2M auth, targeting coding agents and Logto Cloud users.

App-level access control

Restrict access to specific applications for designated users.

Password force reset policy

Currently under consideration.

MFA: Trusted device

Reduce repeat MFA prompts by allowing users to mark a device as trusted for a defined period.

Backlog

Account center elements

A set of framework-agnostic web components that can interact with Account API.

API authentication

Authenticate users via API. No redirect needed.

RBAC as code

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

Organization portal

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

Authentication policy

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

Sign-in experience elements

A set of framework-agnostic web components that can interact with Experience API.

Single sign-on application dashboard

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

Custom content blocks in sign-in experience

Insert custom text, links, and images into the default sign-in and sign-up pages.

Logto Management API key

Generate a secure key for programmatic access to the Logto Management API

Attribute-based access control (ABAC)

Define dynamic access policies using user or resource attributes for context-aware security.

Just-in-time user migration

Migrate users from your legacy system to Logto only when they sign in.

Email allowlist

Allow admins to define a list of email domains or addresses that can register.

Google One Tap for websites

Add Google One Tap to your website and authenticate users through Logto.

Custom claims for ID tokens

Add custom claims to ID tokens using JavaScript code snippet.

Support Dynamic Client Registration

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Registration from forgot password

Directly register via forgot password instead of prompting for another round of verification.

Support machine-to-machine access policy

Limit access by IP address, user agent, and other policies.

Support CIBA flow

Support Client Initiated Backchannel Authentication (CIBA) Flow.

Unverified SSO email verification

Allow verification code flow for SSO-provided unverified emails.

Unverified email/phone number

Skip verifying email/phone number during sign-up.

Support WebAuthn for mobile SDK

Enhance native iOS and Android SDKs to use the system browser instead of a webview, enabling full WebAuthn support.

Support localization parameter in content URLs

Allow specifying a localization parameter in privacy policy and terms of use URLs.

Allow concurrent Google Workspace and social login

Option to allow both Google Workspace and Google social logins for the same account.

M2M authentication IP allowlist

Restrict access to machine-to-machine applications only from allowed IP addresses or CIDR ranges.

Country code restrictions for phone input

Limit selectable country codes in the phone number field to support region-specific apps

Minimum age limit for sign-up

Configure a mandatory minimum age for the birthdate sign-up field to ensure compliance

Support Central Authentication Service protocol

Currently under review

Support OIDC "select_account" prompt

Currently under review

i18n for custom content

Add translations for custom content (e.g., consent screen permissions, user profile collection).

Customize account existence visibility

Show whether the account exists before code verification during sign-in or sign-up.

Completed

Session management

Managing user sessions with multi-device session tracking, session controls, etc.

Passkey as a first authentication factor

Support passwordless authentication with passkey sign-in

Profile fulfillment

Collect mandatory and optional profile fields during user registration.

Out-of-the-box account settings

Instantly integrate account setting flows (e.g., update email, password, MFA) with a prebuilt UI into your app.

Adaptive MFA

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Redirect URI wildcards

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

OAuth 2.0 device flow

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Multiple custom domains

Support multiple custom domains and render different sign-in experience brandings according to the domain.

SAML IdP

Use Logto as a SAML identity provider.

Account API

A set of APIs and rules that allow end-users to update their identifiers and profile.

Block disposable email registration

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

Captcha support

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Dev to Pro plan production tenant

Directly convert Dev tenant to a Pro tenant.

Customize session TTL & concurrent grant limits

Enable overriding the default Logto session timeout and configure limits on concurrent sign-in devices.

Prevent search engine indexing

Provide an option to emit a noindex meta tag or X-Robots-Tag response header for sign-in pages.

Magic link

One-time token for organization member invitation, user invitation, password recovering, etc.

Account API for MFA

Allow end users to update, delete, and verify TOTP via Account API.

Typed library for Management API

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Hide Logto branding

Remove "Powered by Logto" to spotlight your brand exclusively on the sign-in experience.

Secret vault

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Connectors: Sync unverified email

Choose whether to sync unverified emails from social or enterprise identity providers via OIDC.

Add custom data to ID token

Add custom user data to the ID token so clients can access identity details instantly

Sign-up capability improvement

Multiple sign-up identifiers (e.g., email & username) and other improvements

Set up MFA for Logto Cloud

Manage MFA (passkeys, authenticator apps, backup codes) in your Logto Cloud console profile.

Account API for Passkey

Custom CSS per organization

Customize organization's sign-in experience with exclusive logo, favicon, colors, and custom CSS.

Console UI for Account API

Directly manage access permissions for Account API in the console.

Add `ui_locales` authentication parameter

Use ui_locales to adjust the sign-in locale dynamically and expose it to email templates.

IdP-initiated SAML SSO

Currently under consideration.

Call third-party APIs with secret vault

Store and retrieve 'access and refresh tokens' from social providers (e.g., Google) for API access.

Customize identifier lockout policy

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.

Third-party app for SPA & Native

Currently under consideration.

Include IP address in HTTP SMS connector

Add the client IP address to the payload to enable IP-based rate limiting and reduce abuse.

WordPress plugin integration

Currently under consideration.