Collect mandatory and optional profile fields during user registration.

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Register, name, and manage multiple passkeys via Account API.

Add Google One Tap to your website and authenticate users through Logto.

Then no password is required for sign-in.

A set of framework-agnostic web components that can interact with Account API.

Support multiple custom domains and render different sign-in experience brandings according to the domain.

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Duplicate dev tenant configurations (connectors, roles, resources, etc.) to a new production tenant.

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Migrate users from your legacy system to Logto only when they sign in.

Allow end users to update, delete, and verify TOTP via Account API.

Managing user sessions with multi-device session tracking, session controls, etc.

Simplify wording when no matching account is found during sign-in experience.

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Option to allow both Google Workspace and Google social logins for the same account.

Allow verification code flow for SSO-provided unverified emails.

Show whether the account exists before code verification during sign-in or sign-up.

Skip verifying email/phone number during sign-up.

Limit access by IP address, user agent, and other policies.

Support SAML social connector for government-backed regional IdPs (e.g., SPID, eIDAS, Singpass).

Authenticate users via API. No redirect needed.

A set of framework-agnostic web components that can interact with Experience API.

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

Instantly integrate a fully featured Account Settings page into your app.

System for cross-domain identity management APIs.

Directly register via forgot password instead of prompting for another round of verification.

Support Client Initiated Backchannel Authentication (CIBA) Flow.

Enable email or SMS passwordless verification for multi-factor authentication.

Implement RFC 9396 and provide some useful feature around it.

Block users at the login stage if they come from a specific app. This will essentially enable app-level authentication (beyond just branding).

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

Use Logto as a SAML identity provider.

A set of APIs and rules that allow end-users to update their identifiers and profile.

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Achieve SOC 2 compliance and obtain certification.

One-time token for organization member invitation, user invitation, password recovering, etc.

Multiple sign-up identifiers (e.g., email & username) and other improvements

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.