# Logto — Open Source Authentication & Authorization for SaaS

> Logto is an open-source Auth0 alternative providing OIDC/OAuth 2.1 authentication with multi-tenancy, SSO, RBAC, and MFA for modern SaaS and AI apps.

## Install

Save the content below to `.claude/skills/` or append to your `CLAUDE.md`:

## Quick Use

```bash
docker run --name logto -p 3001:3001 -p 3002:3002 
  -e DB_URL=postgres://postgres:password@host.docker.internal:5432/logto 
  ghcr.io/logto-io/logto:latest
```

Open `http://localhost:3002` (Admin Console) — set up your first application and sign-in experience.

## Intro

**Logto** is an open-source authentication and authorization platform built on OIDC and OAuth 2.1 standards. It provides a complete identity infrastructure for SaaS applications with multi-tenancy, social login, SSO, MFA, and role-based access control out of the box.

With 11.9K+ GitHub stars and MPL-2.0 license, Logto offers both self-hosted and cloud options, making it a viable alternative to Auth0, Clerk, and Firebase Auth with full data ownership.

## What Logto Does

Logto handles the entire authentication and authorization lifecycle:

- **Sign-in Experience**: Customizable login pages with email/password, phone OTP, social login (Google, GitHub, Apple, etc.), and passwordless options
- **Multi-tenancy**: Organizations with member management, invitation flows, and per-org settings
- **Single Sign-On (SSO)**: Enterprise SSO with SAML and OIDC federation for connecting corporate identity providers
- **Access Control**: Role-based access control (RBAC) with API resource permissions and organization-level roles
- **Multi-factor Authentication**: TOTP authenticator apps, WebAuthn/passkeys, and backup codes

## Architecture

```
┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│  Your App    │────▶│  Logto Core  │────▶│  PostgreSQL  │
│  (SDK)       │     │  (OIDC/OAuth)│     │  (Users/Orgs)│
└──────────────┘     └──────┬───────┘     └──────────────┘
                            │
                     ┌──────┴───────┐
                     │ Admin Console│
                     │  (React SPA) │
                     └──────────────┘
```

## Integration Example (Next.js)

```bash
npm install @logto/next
```

```typescript
// app/api/logto/[action]/route.ts
import { handleSignIn, handleSignOut, handleCallback } from '@logto/next/server-actions';
import { logtoConfig } from './config';

export { handleSignIn, handleSignOut, handleCallback };

// logto.config.ts
export const logtoConfig = {
  endpoint: 'http://localhost:3001',
  appId: 'your-app-id',
  appSecret: 'your-app-secret',
  baseUrl: 'http://localhost:3000',
  cookieSecret: 'your-cookie-secret',
  cookieSecure: process.env.NODE_ENV === 'production',
};
```

```tsx
// app/page.tsx
import { getLogtoContext } from '@logto/next/server-actions';

export default async function Home() {
  const { isAuthenticated, claims } = await getLogtoContext(logtoConfig);

  return isAuthenticated ? (
    <div>Welcome, {claims?.name}</div>
  ) : (
    <a href="/api/logto/sign-in">Sign In</a>
  );
}
```

## SDKs Available

Logto provides official SDKs for all major platforms:

| Platform | Package |
|----------|---------|
| React | `@logto/react` |
| Next.js | `@logto/next` |
| Vue | `@logto/vue` |
| Express | `@logto/express` |
| Python (Flask/Django) | `logto` |
| Go | `github.com/logto-io/go` |
| iOS/Android | Native SDKs |

## Self-Hosting

### Docker Compose

```yaml
services:
  logto:
    image: ghcr.io/logto-io/logto:latest
    ports:
      - "3001:3001"  # Core API
      - "3002:3002"  # Admin Console
    environment:
      DB_URL: postgres://logto:logto@postgres:5432/logto
      ENDPOINT: http://localhost:3001
      ADMIN_ENDPOINT: http://localhost:3002
    depends_on:
      - postgres

  postgres:
    image: postgres:16
    environment:
      POSTGRES_USER: logto
      POSTGRES_PASSWORD: logto
      POSTGRES_DB: logto
    volumes:
      - pg-data:/var/lib/postgresql/data

volumes:
  pg-data:
```

## Logto vs Alternatives

| Feature | Logto | Auth0 | Clerk | Firebase Auth |
|---------|-------|-------|-------|---------------|
| Open Source | Yes (MPL-2.0) | No | No | No |
| Self-hosted | Yes | No | No | No |
| Multi-tenancy | Built-in | Enterprise | No | No |
| SSO (SAML/OIDC) | Yes | Enterprise | Enterprise | No |
| MFA | TOTP + Passkeys | Yes | Yes | Phone only |
| Pricing | Free (self-host) | Free tier + paid | Per MAU | Free tier + paid |

## FAQ

**Q: How many users can Logto handle?**
A: Self-hosted Logto runs on PostgreSQL and easily handles millions of users. The Cloud version uses a distributed architecture for even larger scale.

**Q: Is it hard to migrate from Auth0 to Logto?**
A: Logto follows OIDC standards and provides user import APIs and compatible SDK interfaces. Most apps can migrate by simply swapping the SDK and configuration.

**Q: Does it support machine-to-machine (M2M) authentication?**
A: Yes. Logto supports the client_credentials grant for service-to-service auth — great for microservices and API gateways.

## Source & Thanks

- GitHub: [logto-io/logto](https://github.com/logto-io/logto) — 11.9K+ ⭐ | MPL-2.0
- Website: [logto.io](https://logto.io)

---
Source: https://tokrepo.com/en/workflows/logto-open-source-authentication-authorization-saas-558aece6
Author: Script Depot