logto-io/logto v1.30.0 on GitHub

Logto API SDK

A TypeScript SDK for interacting with Logto's Management API using client credentials authentication.

Create a machine-to-machine application in your Logto Console.
Grant the application access to the Management API.
Install the SDK via npm: npm install @logto/api
Use createManagementApi() to create a typed Management API client with your application's credentials.

This SDK simplifies the process of integrating with Logto's Management API, allowing developers to focus on building features rather than handling API requests and responses manually.

Handles OAuth token authentication and renewal automatically.
Supports both Logto Cloud and self-hosted instances.

Secret Vault

The Secret Vault is designed to securely store sensitive user data—such as access tokens, API keys, passcodes, and other confidential information. These secrets are typically used to access third-party services on behalf of users, making secure storage essential.

With this release, federated token set storage support is added to both social and enterprise SSO connectors. When enabled, Logto securely stores the token set issued by the provider after a successful user authentication. Applications can then retrieve the access token later to access third-party APIs without requiring the user to reauthenticate.

Supported connectors:

Social connectors: GitHub, Google, Facebook, Standard OAuth 2.0, and Standard OIDC
Enterprise SSO connectors: All OIDC-based SSO connectors

How it works:

Enable token storage for social and enterprise SSO connectors in the Logto Console or via the Logto Management API.
Once enabled, Logto automatically stores the token set issued by the provider after a successful user authentication.
After the token set is stored, you can retrieve the access token via the Logto Account API for the user. This allows your application to access third-party APIs without requiring the user to reauthenticate.

For more details, see the Secret Vault documentation.

Note

For OSS users: To enable the Secret Vault feature, you must set the SECRET_VAULT_KEK environment variable to a valid base64-encoded secret key. This key is used to encrypt and decrypt the secrets stored in the vault. For more information, refer to the configuration variables documentation.

Add TOTP and Backup Codes via Account API

Users can now add TOTP and backup codes via the Account API.

POST /api/my-account/mfa-verifications/totp-secret/generate: Generate a TOTP secret.
POST /api/my-account/mfa-verifications/backup-codes/generate: Generate backup codes.
POST /api/my-account/mfa-verifications: Add a TOTP or backup code using the generated secret or codes.
GET /api/my-account/mfa-verifications/backup-codes: Retrieve backup codes.

Bug Fixes

Tenant-aware foreign key constraint for `organization_user_relations` table

Problem

Developers could mistakenly assign a user_id from another tenant to an organization, causing 500 errors on organization user API endpoints. The original organization_user_relations table only had a foreign key constraint on users (id), allowing any existing user ID to be assigned regardless of tenant isolation.

Root Cause

Logto applies Row Level Security (RLS) on all tables to isolate tenant data access. When joining the users table with organization_user_relations, the actual user data becomes inaccessible to the current tenant due to RLS restrictions, causing user data to return null and triggering 500 server errors.

Solution

A composite foreign key constraint (tenant_id, user_id) referencing users (tenant_id, id) was added to ensure the organization-user relation's tenant ID matches the user's tenant ID. This enforces proper tenant isolation at the database level.

Other Improvements

Social connectors: Added support for providing a custom scope parameter when generating the authorization URL for social connectors. This allows you to request additional permissions from the social provider when calling the Logto social verification endpoint. If the scope is provided, it will be used in the authorization request; otherwise, the default scope configured in the connector settings will be used.
Console: To better support the new Secret Vault feature, we have refactored the layout of the user details page. User social and enterprise SSO identities are now organized into a new Connection section. This section lists all of a user’s linked connections, showing third-party identity information and token storage status (if applicable). A detailed user identity page is also available for each connection, providing more information about the linked identity and its associated tokens.