Requests

Managing user sessions with multi-device session tracking, session controls, etc.

Support passwordless authentication with passkey sign-in

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Instantly integrate account setting flows (e.g., update email, password, MFA) with a prebuilt UI into your app.

Add the client IP address to the payload to enable IP-based rate limiting and reduce abuse.

Currently in progress

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

System for cross-domain identity management APIs.

Choose whether to sync unverified emails from social or enterprise identity providers via OIDC.

Manage MFA (passkeys, authenticator apps, backup codes) in your Logto Cloud console profile.

Add custom user data to the ID token so clients can access identity details instantly

A set of framework-agnostic web components that can interact with Account API.

Authenticate users via API. No redirect needed.

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

A set of framework-agnostic web components that can interact with Experience API.

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

Insert custom text, links, and images into the default sign-in and sign-up pages.

Generate a secure key for programmatic access to the Logto Management API

Define dynamic access policies using user or resource attributes for context-aware security.

Migrate users from your legacy system to Logto only when they sign in.

Add Google One Tap to your website and authenticate users through Logto.

Block users at the login stage if they come from a specific app. This will essentially enable app-level authentication (beyond just branding).

Add custom claims to ID tokens using JavaScript code snippet.

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Provide an option to emit a noindex meta tag or X-Robots-Tag response header for sign-in pages.

Provide an option to override the default OIDC access token time-to-live (TTL) and session TTL.

Support Client Initiated Backchannel Authentication (CIBA) Flow.

Track all end-user activities performed through the Account API, including identifier, password, MFA, and profile updates.

Directly register via forgot password instead of prompting for another round of verification.

Limit access by IP address, user agent, and other policies.

Allow specifying a localization parameter in privacy policy and terms of use URLs.

Invokes your API whenever a user’s role or organization role changes.

Skip verifying email/phone number during sign-up.

Option to allow both Google Workspace and Google social logins for the same account.

Allow verification code flow for SSO-provided unverified emails.

Restrict access to machine-to-machine applications only from allowed IP addresses or CIDR ranges.

Allow admins to define a list of email domains or addresses that can register.

Currently under consideration.

Currently under consideration.

Configure a mandatory minimum age for the birthdate sign-up field to ensure compliance

Limit selectable country codes in the phone number field to support region-specific apps

Collect mandatory and optional profile fields during user registration.

Support multiple custom domains and render different sign-in experience brandings according to the domain.

Use Logto as a SAML identity provider.

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

A set of APIs and rules that allow end-users to update their identifiers and profile.

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Directly convert Dev tenant to a Pro tenant.

Simplify wording when no matching account is found during sign-in experience.

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Allow end users to update, delete, and verify TOTP via Account API.

Remove "Powered by Logto" to spotlight your brand exclusively on the sign-in experience.

Enable email or SMS passwordless verification for multi-factor authentication.

One-time token for organization member invitation, user invitation, password recovering, etc.

Multiple sign-up identifiers (e.g., email & username) and other improvements

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Register, name, and manage multiple passkeys via Account API.

Directly manage access permissions for Account API in the console.

Store and retrieve 'access and refresh tokens' from social providers (e.g., Google) for API access.

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.

Currently under consideration.

Use ui_locales to adjust the sign-in locale dynamically and expose it to email templates.

Customize organization's sign-in experience with exclusive logo, favicon, colors, and custom CSS.

Currently under consideration.