Requests

Restrict access to specific applications for designated users.

Invokes your API whenever a user’s role or organization role changes.

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

System for cross-domain identity management APIs.

Allow anonymous access with the option to upgrade to registered accounts.

Track all end-user activities performed through the Account API, including identifier, password, MFA, and profile updates.

Extends one-time token functionality to support the password reset scenario.

Define flexible rules to require or bypass MFA based on IP, users, organizations, roles, apps, etc.

Currently under consideration.

Support OAuth CIMD for URL-based client IDs, simplifying integration for AI agents and MCP.

Restrict access to machine-to-machine applications only from allowed IP addresses or CIDR ranges.

Allow users to fully customize the CSP headers in the "Bring your UI" feature. Currently the CSP headers are a little bit too restrictive and prevents users from being able to add their own dev and analytic tools, etc.

Add an app-level Grant TTL setting so developers can configure how long user authorization grants remain valid per application. Today, Logto uses a fixed 180-day grant TTL, which acts as a hidden cap for refresh-token-backed sessions. This project makes that limit explicit and configurable in application settings, while keeping 180 days as the default. Refresh token rotation will not bypass grant expiration. Effective lifetime remains limited by grant TTL, refresh token TTL, session binding, or explicit revocation, whichever comes first.

Support granular Management API scopes for M2M applications so specific actions like user deletion no longer require the broad all scope.

Currently under consideration.

Currently under consideration.

Reduce repeat MFA prompts by allowing users to mark a device as trusted for a defined period.

Standalone CLI wrapping Management API with auto-generated commands from OpenAPI spec, OAuth + M2M auth, targeting coding agents and Logto Cloud users.

One-way LDAP/Active Directory sync for Logto users, organizations, memberships, and role mappings.

Currently under consideration.

A set of framework-agnostic web components that can interact with Account API.

Authenticate users via API. No redirect needed.

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

Insert custom text, links, and images into the default sign-in and sign-up pages.

Generate a secure key for programmatic access to the Logto Management API

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Add Google One Tap to your website and authenticate users through Logto.

Migrate users from your legacy system to Logto only when they sign in.

Allow admins to define a list of email domains or addresses that can register.

Add custom claims to ID tokens using JavaScript code snippet.

Directly register via forgot password instead of prompting for another round of verification.

Skip verifying email/phone number during sign-up.

Limit access by IP address, user agent, and other policies.

Enhance native iOS and Android SDKs to use the system browser instead of a webview, enabling full WebAuthn support.

Allow verification code flow for SSO-provided unverified emails.

Allow specifying a localization parameter in privacy policy and terms of use URLs.

Limit selectable country codes in the phone number field to support region-specific apps

Option to allow both Google Workspace and Google social logins for the same account.

Currently under review

Show whether the account exists before code verification during sign-in or sign-up.

Add translations for custom content (e.g., consent screen permissions, user profile collection).

Configure a mandatory minimum age for the birthdate sign-up field to ensure compliance

Managing user sessions with multi-device session tracking, session controls, etc.

Support passwordless authentication with passkey sign-in

Collect mandatory and optional profile fields during user registration.

Instantly integrate account setting flows (e.g., update email, password, MFA) with a prebuilt UI into your app.

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Support multiple custom domains and render different sign-in experience brandings according to the domain.

Use Logto as a SAML identity provider.

A set of APIs and rules that allow end-users to update their identifiers and profile.

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Directly convert Dev tenant to a Pro tenant.

Enable overriding the default Logto session timeout and configure limits on concurrent sign-in devices.

Provide an option to emit a noindex meta tag or X-Robots-Tag response header for sign-in pages.

One-time token for organization member invitation, user invitation, password recovering, etc.

Allow end users to update, delete, and verify TOTP via Account API.

Remove "Powered by Logto" to spotlight your brand exclusively on the sign-in experience.

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Register, name, and manage multiple passkeys via Account API.

Choose whether to sync unverified emails from social or enterprise identity providers via OIDC.

Multiple sign-up identifiers (e.g., email & username) and other improvements

Add custom user data to the ID token so clients can access identity details instantly

Integrate fully featured security settings (e.g., update identifier, password, MFA) for end-users with prebuilt UI.

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Use ui_locales to adjust the sign-in locale dynamically and expose it to email templates.

Customize organization's sign-in experience with exclusive logo, favicon, colors, and custom CSS.

Directly manage access permissions for Account API in the console.

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.

Store and retrieve 'access and refresh tokens' from social providers (e.g., Google) for API access.

Allow users to sign in with social providers without being required to provide additional sign-up identifiers (e.g., email or phone).

Add the client IP address to the payload to enable IP-based rate limiting and reduce abuse.

Currently under consideration.

Currently under consideration.

Currently under consideration.