Logto
Open-source auth infrastructure for SaaS and AI apps with OIDC, SAML, and RBAC
Logto is an open-source authentication and authorization platform built for SaaS and AI applications, offering multi-tenancy, enterprise SSO, RBAC, and modern identity protocols like OIDC and OAuth 2.1 without the complexity of proprietary solutions.
Logto supports deployment via Docker, Node.js, or its fully managed cloud service, and integrates with 30+ frameworks including React, Next.js, Go, Python, and Vue. Its architecture includes a Management API, customizable UIs, and native support for Model Context Protocol and agent-based AI systems. With built-in RBAC, impersonation, personal access tokens, and IdP capabilities, it provides a complete identity stack without vendor lock-in.
The platform handles the full authentication lifecycle — from sign-up and social login to MFA and enterprise SSO — with pre-built, production-ready UI flows that can be styled to match any product. Its multi-tenant organization model lets SaaS builders ship isolated customer environments with per-tenant RBAC, just-in-time provisioning, and member invitation workflows out of the box.
What You Get
- OIDC and OAuth 2.1 Provider - A fully compliant authorization server implementing OIDC, OAuth 2.1, and SAML 2.0 with standard token issuance, PKCE, device flow, and token exchange grants for web, mobile, and M2M applications.
- Multi-tenancy with Organization RBAC - Built-in organization and tenant isolation with role-based access control at both global and per-organization scopes, enabling SaaS applications to manage multiple customer environments with member invitations and just-in-time provisioning.
- Enterprise SSO (SAML & OIDC IdP) - Pre-built connectors for Okta, Entra ID, Google Workspace, and any SAML or OIDC identity provider, with case-insensitive domain matching and trust-unverified-email options for federated identity scenarios.
- Passwordless and Social Authentication - Support for email/SMS one-time codes, passkeys (WebAuthn), Google One Tap, and 30+ social connectors, eliminating passwords while maintaining smooth sign-in experiences across web and mobile.
- Multi-Factor Authentication (MFA) - Configurable MFA enforcement using TOTP authenticator apps, WebAuthn passkeys, and backup codes, with per-tenant or global policy controls and secure management flows for end users.
- Machine-to-Machine (M2M) Authentication - Client credentials flow for secure API-to-API communication, personal access tokens (PATs) for scripts and automation pipelines, and token exchange extensions for agent-to-agent AI workflows.
- JWT Customizer with Application Context - Server-side scripts that run with sandboxed execution to inject custom claims into access tokens and ID tokens based on application context, user metadata, and organization roles without requiring code deployment.
- User Impersonation - Admins can safely impersonate end users via the Management API to reproduce issues and debug flows without requiring user passwords or session hijacking.
- Management API - RESTful API for programmatic user, role, tenant, and connector management, enabling automation and integration with CI/CD pipelines, HR systems, and custom admin dashboards.
- Built-in Account Center - A ready-to-use single-page account management application for end users covering profile updates, MFA management, and sensitive operation verification flows with no additional frontend work required.
Common Use Cases
- Building a multi-tenant SaaS platform - A B2B software company uses Logto’s organization model to manage isolated customer tenants, enforce per-tenant RBAC, and provision enterprise clients via SAML SSO with just-in-time user creation.
- Securing AI agent ecosystems - An AI startup authenticates LLM agents and tool calls using Logto’s M2M client credentials and token exchange extensions, with MCP integration enabling standardized agent identity.
- Replacing Auth0 or Firebase Auth - A growth-stage startup migrates from a proprietary auth service to Logto to eliminate per-MAU billing, retain full data ownership, and customize authentication flows beyond what managed services allow.
- Enabling passwordless onboarding for mobile apps - A fintech app integrates Logto’s email/SMS passwordless flows and Google One Tap to reduce signup friction and improve conversion rates on iOS and Android.
- Deploying enterprise SSO for a B2B product - A project management tool adds Okta and Entra ID SSO support for enterprise customers without building custom SAML parsing, using Logto’s pre-built connectors and automatic JIT provisioning.
Under The Hood
Architecture
Logto is built as a pnpm monorepo with a Koa.js backend implementing a multi-tenant architecture where each incoming request resolves a Tenant instance from a pool, giving it an isolated OIDC provider, PostgreSQL connection pool, and domain-specific service libraries. The Libraries class acts as a dependency injection container, composing domain services (user, connector, JWT customizer, SAML, organization, subscription quota) around a shared Queries object that encapsulates all database access. Middleware pipelines use koa-compose to cleanly layer tenant resolution, authentication verification, audit logging, rate limiting, and business logic without coupling. Routing is modular with dedicated router files per domain, and OIDC grant extensions (token exchange, device flow, client credentials) are implemented as pluggable grant handlers on top of the oidc-provider package, maintaining protocol compliance while adding platform-specific behavior.
Tech Stack
The backend runs on Node.js 22 with TypeScript throughout, using Koa.js for the HTTP layer, slonik for type-safe PostgreSQL access, and ioredis for session caching and well-known configuration. The OIDC/OAuth 2.1 protocol stack is powered by oidc-provider with Logto-specific grant extensions. The admin console and experience UI are built with React 18, React Router, and Vite for bundling, styled with SCSS modules. Build tooling uses tsup for backend TypeScript compilation and pnpm workspaces across 20+ packages. Testing infrastructure spans Vitest and Jest for unit tests, custom Docker Compose integration test harnesses with real PostgreSQL, and Playwright for E2E browser automation. Deployment targets Docker with multi-stage builds, GitPod for instant dev environments, and Render for one-click cloud deploys.
Code Quality
The repository contains over 600 test files covering unit tests for middleware, library functions, and OIDC grant logic, integration tests running against live PostgreSQL and Redis containers, and Playwright end-to-end tests for the sign-in experience and admin console. Error handling uses a typed RequestError class with standardized HTTP status codes and error code constants across all route handlers, making errors machine-parseable rather than just message strings. TypeScript is enforced strictly across all packages with shared interface schemas defined in the @logto/schemas package, eliminating type divergence between backend and frontend. Pre-commit hooks via Husky enforce linting with a custom @silverhand ESLint ruleset, and changeset-based versioning provides a consistent release process across the monorepo’s many packages.
What Makes It Unique
Logto stands out by combining three capabilities that most auth platforms treat as separate products: a full OIDC/OAuth 2.1 provider, a multi-tenant organization system with per-tenant RBAC, and native support for AI agent authentication via Model Context Protocol integration and token exchange extensions. Its JWT customizer allows server-side claim scripts with application context injection, enabling app-aware token customization without redeployment. The built-in Account Center is a production-ready self-service identity management UI requiring zero frontend development. SAML SP capability lets Logto itself act as a service provider for enterprise SSO without requiring customers to use Logto as their primary IdP, and cross-app authentication isolation via structured _interaction cookie mapping prevents session contamination across simultaneous auth flows in the same browser.
Self-Hosting
Logto is licensed under the Mozilla Public License 2.0 (MPL-2.0), a weak copyleft license that requires modifications to MPL-licensed files to be shared under the same license but does not impose copyleft on surrounding proprietary code. This means self-hosters can build and ship closed-source SaaS products on top of Logto without licensing concerns, provided they distribute any modifications to the Logto files themselves back under MPL-2.0. Commercially, this is one of the most permissive copyleft licenses available and imposes no restrictions on the number of users, tenants, or environments you run.
Running Logto yourself requires a Node.js 22 runtime, a PostgreSQL database (version 14+ recommended), and optionally Redis for session caching and performance. The platform ships a Docker Compose file covering all dependencies for local development, and a multi-stage Dockerfile suitable for production. Operational responsibilities include database backup and recovery, PostgreSQL version upgrades, Node.js security patches, Redis cluster management if used at scale, and monitoring and alerting — none of which are provided out of the box. Database schema migrations are managed via Logto’s CLI (logto db alt), and operators must run them manually during upgrades. For high availability, you must front multiple Logto instances with a load balancer and ensure Redis and PostgreSQL are themselves highly available, which adds meaningful infrastructure complexity.
Logto Cloud (cloud.logto.io) is the managed alternative, offering zero-ops deployment, managed PostgreSQL and Redis, automatic upgrades, an SLA, and a free tier for evaluation. The paid cloud plans add higher MAU limits, advanced enterprise connectors, and dedicated support. Self-hosters give up managed upgrades, infrastructure SLAs, built-in HA, and direct vendor support channels. The OSS version and cloud version are functionally equivalent at the feature level — there are no enterprise features gated behind a proprietary license tier in the self-hosted build — but the cloud tier adds quota-based limits (tokens per month, MAU) that are enforced server-side and tied to your subscription plan.
Related Apps
Supabase
Developer Tools · Databases · Search
The open-source Postgres development platform that replaces Firebase with authentication, real-time APIs, edge functions, storage, and vector embeddings — all built on PostgreSQL.
Supabase
Apache 2.0PocketBase
Databases · Ecommerce · Authentication
Open Source realtime backend in 1 file — embedded SQLite, auth, file storage, and admin UI as a single Go binary.
PocketBase
MITAppwrite
Developer Tools · Databases · Authentication
Open-source backend platform with Auth, Databases, Storage, Functions, Messaging, Realtime, and Sites — deploy via Docker or use Appwrite Cloud.