Support multiple custom domains and render different sign-in experience brandings according to the domain.

Instantly integrate a fully featured Account Settings page into your app.

Managing user sessions with multi-device session tracking, session controls, etc.

Support passwordless authentication with passkey sign-in

Trigger MFA according to the current risk level, e.g. a new device, IP, etc.

Support RFC 8628: OAuth 2.0 Device Authorization Grant.

Adjust username case-sensitivity, length restrictions, allowed charset, etc.

Simplify wording when no matching account is found during sign-in experience.

Allow specifying a localization parameter in privacy policy and terms of use URLs.

Choose whether to sync unverified emails from social or enterprise identity providers via OIDC.

Manage MFA (passkeys, authenticator apps, backup codes) in your Logto Cloud console profile.

Set passkey as a supplemental and custom passkey names.

A set of framework-agnostic web components that can interact with Account API.

Authenticate users via API. No redirect needed.

Support for wildcard patterns in redirect URIs to improve authentication for dynamic environments like preview deployments.

Customize policies to control authentication, such as username rules, IP blacklist / whitelist, verification code expiration, etc.

Allow to use code-based configuration to provision role-based access control, for example, a YAML file.

A set of framework-agnostic web components that can interact with Experience API.

An out-of-the-box solution that allows org admins to manage identities, organization profiles, and set up enterprise SSO themselves.

System for cross-domain identity management APIs.

Making it easier for users to see all the apps they’re connected to in one simple, centralized place.

Define dynamic access policies using user or resource attributes for context-aware security.

Generate a secure key for programmatic access to the Logto Management API

Migrate users from your legacy system to Logto only when they sign in.

Block users at the login stage if they come from a specific app. This will essentially enable app-level authentication (beyond just branding).

Add Google One Tap to your website and authenticate users through Logto.

Add custom claims to ID tokens using JavaScript code snippet.

RFC 7591: OAuth 2.0 Dynamic Client Registration Protocol

Provide an option to override the default OIDC access token time-to-live (TTL) and session TTL.

Support Client Initiated Backchannel Authentication (CIBA) Flow.

Provide an option to emit a noindex meta tag or X-Robots-Tag response header for sign-in pages.

Limit access by IP address, user agent, and other policies.

Track all end-user activities performed through the Account API, including identifier, password, MFA, and profile updates.

Directly register via forgot password instead of prompting for another round of verification.

Skip verifying email/phone number during sign-up.

Restrict access to machine-to-machine applications only from allowed IP addresses or CIDR ranges.

Allow verification code flow for SSO-provided unverified emails.

Option to allow both Google Workspace and Google social logins for the same account.

Invokes your API whenever a user’s role or organization role changes.

Support SAML social connector for government-backed regional IdPs (e.g., SPID, eIDAS, Singpass).

Implement RFC 9396 and provide some useful feature around it.

Auto-detect and select the right country code when users enter or paste full phone numbers with "+"

Provide a centralized portal for end-users to view and launch all their authorized applications.

Show whether the account exists before code verification during sign-in or sign-up.

Limit selectable country codes in the phone number field to support region-specific apps

Allow admins to define a list of email domains or addresses that can register.

Configure a mandatory minimum age for the birthdate sign-up field to ensure compliance

Issue opaque tokens instead of JWTs to allow real-time introspection for API resource access.

Collect mandatory and optional profile fields during user registration.

Reject any sign-up attempts using a disposable email address to prevent spam and improve user quality.

Use Logto as a SAML identity provider.

A set of APIs and rules that allow end-users to update their identifiers and profile.

Add reCAPTCHA / Cloudflare Turnstile / hCaptcha for bot protection.

Directly convert Dev tenant to a Pro tenant.

Achieve SOC 2 compliance and obtain certification.

Allow end users to update, delete, and verify TOTP via Account API.

Remove "Powered by Logto" to spotlight your brand exclusively on the sign-in experience.

Enable email or SMS passwordless verification for multi-factor authentication.

Provide typed libraries for services (e.g., Node.js) to use Logto Management API.

Securely let users authorize third-party services, then store, manage, and use the tokens with Logto.

Register, name, and manage multiple passkeys via Account API.

One-time token for organization member invitation, user invitation, password recovering, etc.

Multiple sign-up identifiers (e.g., email & username) and other improvements

Directly manage access permissions for Account API in the console.

Customize the policy to provisionally lock accounts after multiple failed sign-ins to prevent brute force access.

Use ui_locales to adjust the sign-in locale dynamically and expose it to email templates.

Customize organization's sign-in experience with exclusive logo, favicon, colors, and custom CSS.