Can I use Logto as a CLI?

Yes. KosmoKrator exposes a Logto CLI through kosmo integrations:call and the provider shortcut command. Commands can return JSON for scripts, CI, and coding agents.

Can I expose Logto through MCP?

Yes. The KosmoKrator MCP gateway can expose selected Logto tools to clients such as Claude Code, Cursor, Codex, and other MCP-compatible tools.

Where are Logto credentials stored?

Logto credentials are configured in KosmoKrator's local integration settings and reused by CLI, Lua, and MCP gateway surfaces.

Can I deny write access for Logto MCP tools?

Yes. Start the gateway with --write=deny for read-only clients, or use ask/allow only for trusted workspaces.

productivity

Logto MCP, CLI, and Lua Integration for AI Agents

Logto integration docs for AI agents: MCP gateway setup, Logto CLI commands, Lua API reference, credentials, and function schemas.

Logto for agents

Credentials can be configured manually in web or CLI hosts.

Use this integration from Lua code mode, the headless integrations CLI, or the KosmoKrator MCP gateway. The same package metadata powers all three surfaces.

Agent Surfaces

Logto CLIHeadless setup, JSON output, direct function calls. Logto MCPExpose selected tools to local MCP clients. Logto LuaAgent-facing namespace and Lua reference. FeedbackReport missing tools, auth issues, or bad metadata.

Machine-Readable Metadata

integration_slug: logto
route_slug: logto
package: logto
auth_strategy: oauth_client_credentials
cli_setup_supported: true
cli_runtime_supported: true
mcp_gateway_supported: true
lua_supported: true

Function Catalog

Function	Type	Description
`logto.logto_add_mfa_verification`	Write `write`	Add a MFA verification to the user, a logto-verification-id in header is required for checking sensitive permissions.
`logto.logto_add_one_time_tokens`	Write `write`	Create a new one-time token associated with an email address. The token can be used for verification purposes and has an expiration time.
`logto.logto_add_organization_applications`	Write `write`	Add an application to the organization.
`logto.logto_add_organization_users`	Write `write`	Add users as members to the specified organization with the given user IDs.
`logto.logto_add_user_identities`	Write `write`	Add an identity (social identity) to the user, a logto-verification-id in header is required for checking sensitive permissions, and a verification record for the social identity is required.
`logto.logto_add_user_profile`	Write `write`	Adds user profile data to the current experience interaction. - For `Register`: The profile data provided before the identification request will be used to create a new user account. - For `SignIn` and `Register`: The profile data provided after the user is identified will be used to update the user's profile when the interaction is submitted. - `ForgotPassword`: Not supported.
`logto.logto_assert_saml`	Write `write`	The Assertion Consumer Service (ACS) endpoint for Simple Assertion Markup Language (SAML) social connectors. SAML social connectors are deprecated. Use the SSO SAML connector instead.
`logto.logto_assert_single_sign_on_saml`	Write `write`	The Assertion Consumer Service (ACS) endpoint for Simple Assertion Markup Language (SAML) single sign-on (SSO) connectors. This endpoint is used to complete the SAML SSO authentication flow. It receives the SAML assertion response from the identity provider (IdP) and redirects the user to complete the authentication flow.
`logto.logto_assign_application_roles`	Write `write`	Assign API resource roles to the specified application. The API resource roles will be added to the existing API resource roles.
`logto.logto_assign_organization_roles_to_application`	Write `write`	Add a role to the application in the organization.
`logto.logto_assign_organization_roles_to_applications`	Write `write`	Assign roles to applications in the specified organization.
`logto.logto_assign_organization_roles_to_user`	Write `write`	Assign roles to a user in the specified organization with the provided data.
`logto.logto_assign_organization_roles_to_users`	Write `write`	Assign roles to user members of the specified organization.
`logto.logto_assign_user_roles`	Write `write`	Assign API resource roles to the user. The roles will be added to the existing roles.
`logto.logto_bind_mfa_verification`	Write `write`	Bind new MFA verification to the user profile using the verificationId.
`logto.logto_bind_passkey`	Write `write`	Bind a WebAuthn credential as a passkey for sign-in purposes. Unlike `POST /api/experience/profile/mfa` with `type: WebAuthn`, this endpoint is exclusively for adding a passkey as a sign-in method and does NOT mark the user's optional MFA as enabled.
`logto.logto_check_password_with_default_sign_in_experience`	Write `write`	Check if a password meets the password policy in the sign-in experience settings.
`logto.logto_cleanup_domains`	Write `write`	Clean up custom domains that have been inactive (not verified) for a specified number of days. This uses Cloudflare as the source of truth to determine domain activity.
`logto.logto_create_and_send_mfa_verification_code`	Write `write`	Create a new MFA verification code and send it to the user's bound identifier (email or phone). This endpoint automatically uses the user's bound email address or phone number from their profile for MFA verification. The user must be identified before calling this endpoint.
`logto.logto_create_and_send_verification_code`	Write `write`	Create a new `CodeVerification` record and sends the code to the specified identifier. The code verification can be used to verify the given identifier.
`logto.logto_create_application`	Write `write`	Create a new application with the given data.
`logto.logto_create_application_protected_app_metadata_custom_domain`	Write `write`	Add a custom domain to the application. You'll need to setup DNS record later.
`logto.logto_create_application_secret`	Write `write`	Add a new secret for the application.
`logto.logto_create_application_user_consent_organization`	Write `write`	Grant a list of organization access of a user for a application by application id and user id. The user must be a member of all the organizations. Only third-party application needs to be granted access to organizations, all the other applications can request for all the organizations' access by default.
`logto.logto_create_application_user_consent_scope`	Write `write`	Assign the user consent scopes to an application by application id
`logto.logto_create_connector`	Write `write`	Create a connector with the given data.
`logto.logto_create_connector_authorization_uri`	Write `write`	Get authorization URI for specified connector by providing redirect URI and randomly generated state.
`logto.logto_create_connector_test`	Write `write`	Test a passwordless (email or SMS) connector by sending a test message to the given phone number or email address.
`logto.logto_create_custom_profile_field`	Write `write`	Create a custom profile field.
`logto.logto_create_custom_profile_fields_batch`	Write `write`	Create multiple custom profile fields in a single request (max 20 items).
`logto.logto_create_domain`	Write `write`	Create a new domain with the given data. The maximum domain number is 1, once created, can not be modified, you'll have to delete and recreate one.
`logto.logto_create_enterprise_sso_verification`	Write `write`	Create a new EnterpriseSSO verification record and return the provider's authorization URI for the given connector.
`logto.logto_create_hook`	Write `write`	Create a new hook with the given data.
`logto.logto_create_hook_test`	Write `write`	Test the specified hook with the given events and config.
`logto.logto_create_new_password_identity_verification`	Write `write`	Create a NewPasswordIdentity verification record for the new user registration use. The verification record includes a unique user identifier and a password that can be used to create a new user account.
`logto.logto_create_or_replace_totp_mfa_verification`	Write `write`	Create or replace the user's TOTP MFA verification with a new authenticator app binding. If the user already has a TOTP verification, it will be replaced; otherwise, a new one will be created. Requires a logto-verification-id header for sensitive permission checks, a valid TOTP secret, and a valid TOTP code generated from the secret.
`logto.logto_create_organization`	Write `write`	Create a new organization with the given data.
`logto.logto_create_organization_invitation`	Write `write`	Create an organization invitation and optionally send it via email. The tenant should have an email connector configured if you want to send the invitation via email at this point.
`logto.logto_create_organization_invitation_message`	Write `write`	Resend the invitation message to the invitee.
`logto.logto_create_organization_jit_email_domain`	Write `write`	Add a new email domain for just-in-time provisioning of users in the organization.
`logto.logto_create_organization_jit_role`	Write `write`	Add new organization roles that will be assigned to users during just-in-time provisioning.
`logto.logto_create_organization_jit_sso_connector`	Write `write`	Add new enterprise SSO connectors for just-in-time provisioning of users in the organization.
`logto.logto_create_organization_role`	Write `write`	Create a new organization role with the given data.
`logto.logto_create_organization_role_resource_scope`	Write `write`	Assign resource scopes to the specified organization role
`logto.logto_create_organization_role_scope`	Write `write`	Assign organization scopes to the specified organization role
`logto.logto_create_organization_scope`	Write `write`	Create a new organization scope with the given data.
`logto.logto_create_password_verification`	Write `write`	Create and verify a new Password verification record. The verification record can only be created if the provided user credentials are correct.
`logto.logto_create_resource`	Write `write`	Create an API resource in the current tenant.
`logto.logto_create_resource_scope`	Write `write`	Create a new scope (permission) for an API resource.
`logto.logto_create_role`	Write `write`	Create a new role with the given data.
`logto.logto_create_role_application`	Write `write`	Assign a role to a list of applications. The role must have the type `Application`.
`logto.logto_create_role_scope`	Write `write`	Link a list of API resource scopes (permissions) to a role. The original linked scopes will be kept.
`logto.logto_create_role_user`	Write `write`	Assign a role to a list of users. The role must have the type `User`.
`logto.logto_create_saml_application`	Write `write`	Create a new SAML application with the given configuration. A default signing certificate with 3 years lifetime will be automatically created.
`logto.logto_create_saml_application_secret`	Write `write`	Create a new signing certificate for the SAML application.
`logto.logto_create_saml_authn`	Write `write`	Process SAML authentication request using HTTP POST binding.
`logto.logto_create_sign_in_passkey_authentication`	Write `write`	Create WebAuthn authentication options for passkey sign-in. The user will be resolved later by the credential during verification.
`logto.logto_create_sign_in_passkey_authentication_with_identifier`	Write `write`	Create WebAuthn authentication options for passkey sign-in with an identifier. The identifier is used to look up the user's WebAuthn credentials and generate non-discoverable authentication options.
`logto.logto_create_social_verification`	Write `write`	Create a new SocialVerification record and return the provider's authorization URI for the given connector.
`logto.logto_create_sso_connector`	Write `write`	Create an new SSO connector instance for a given provider.
`logto.logto_create_subject_token`	Write `write`	Create a new subject token for the use of impersonating the user.
`logto.logto_create_totp_secret`	Write `write`	Create a new TOTP verification record and generate a new TOTP secret for the user. This secret can be used to bind a new TOTP verification to the user's profile. The verification record must be verified before the secret can be used to bind a new TOTP verification to the user's profile.
`logto.logto_create_user`	Write `write`	Create a new user with the given data.
`logto.logto_create_user_asset`	Write `write`	Upload a user asset.
`logto.logto_create_user_identity`	Write `write`	Link authenticated user identity from a social platform to a Logto user. The usage of this API is usually coupled with `POST /connectors/:connectorId/authorization-uri`. With the help of these pair of APIs, you can implement a user profile page with the link social account feature in your application. Note: Currently due to technical limitations, this API does not support the following connectors that rely on Logto interaction session: `@logto/connector-apple`, `@logto/connector-saml`, `@logto/c
`logto.logto_create_user_mfa_verification`	Write `write`	Create a new MFA verification for a given user ID.
`logto.logto_create_user_personal_access_token`	Write `write`	Add a new personal access token for the user.
`logto.logto_create_verification_by_password`	Write `write`	Create a verification record by verifying the password.
`logto.logto_create_verification_by_social`	Write `write`	Create a social verification record and return the authorization URI.
`logto.logto_create_verification_by_verification_code`	Write `write`	Create a verification record and send the code to the specified identifier. The code verification can be used to verify the given identifier.
`logto.logto_create_verification_code`	Write `write`	Request a verification code for the provided identifier (email/phone). if you're using email as the identifier, you need to setup your email connector first. if you're using phone as the identifier, you need to setup your SMS connector first.
`logto.logto_create_web_authn_authentication_verification`	Write `write`	Create a new WebAuthn authentication verification record based on the user's existing WebAuthn credential. This verification record can be used to verify the user's WebAuthn credential.
`logto.logto_create_web_authn_registration_verification`	Write `write`	Create a new WebAuthn registration verification record. The verification record can be used to bind a new WebAuthn credential to the user's profile.
`logto.logto_delete_application`	Write `write`	Delete application by ID.
`logto.logto_delete_application_legacy_secret`	Write `write`	Delete the legacy secret for the application and replace it with a new internal secret. Note: This operation does not "really" delete the legacy secret because it is still needed for internal validation. We may remove the display of the legacy secret (the `secret` field in the application response) in the future.
`logto.logto_delete_application_protected_app_metadata_custom_domain`	Write `write`	Remove custom domain from the specified application.
`logto.logto_delete_application_role`	Write `write`	Remove a API resource role from the specified application.
`logto.logto_delete_application_secret`	Write `write`	Delete a secret for the application by name.
`logto.logto_delete_application_user_consent_organization`	Write `write`	Revoke a user's access to an organization for a application by application id, user id and organization id.
`logto.logto_delete_application_user_consent_scope`	Write `write`	Remove the user consent scope from an application by application id, scope type and scope id
`logto.logto_delete_captcha_provider`	Write `write`	Delete the captcha provider.
`logto.logto_delete_connector`	Write `write`	Delete connector by ID.
`logto.logto_delete_custom_phrase`	Write `write`	Delete custom phrases for the specified language tag.
`logto.logto_delete_custom_profile_field_by_name`	Write `write`	Delete a custom profile field by name.
`logto.logto_delete_domain`	Write `write`	Delete domain by ID.
`logto.logto_delete_email_template`	Write `write`	Delete an email template by its ID.
`logto.logto_delete_email_templates`	Write `write`	Bulk delete email templates by their language tag and template type.
`logto.logto_delete_grant_by_id`	Write `write`	Revoke a specific user application grant by grant ID and remove the related session authorization. A logto-verification-id in header is required for revoking grants.
`logto.logto_delete_hook`	Write `write`	Delete hook by ID.
`logto.logto_delete_identity`	Write `write`	Delete an identity (social identity) from the user, a logto-verification-id in header is required for checking sensitive permissions. The request is rejected if it would remove the user's last identifier.
`logto.logto_delete_jwt_customizer`	Write `write`	Delete the JWT customizer for the given token type.
`logto.logto_delete_mfa_verification`	Write `write`	Delete an MFA verification, a logto-verification-id in header is required for checking sensitive permissions.
`logto.logto_delete_oidc_key`	Write `write`	Delete an OIDC signing key by key type and key ID.
`logto.logto_delete_one_time_token`	Write `write`	Delete a one-time token by its ID.
`logto.logto_delete_organization`	Write `write`	Delete organization by ID.
`logto.logto_delete_organization_application`	Write `write`	Remove an application from the organization.
`logto.logto_delete_organization_application_role`	Write `write`	Remove a role from the application in the organization.
`logto.logto_delete_organization_invitation`	Write `write`	Delete an organization invitation by ID.
`logto.logto_delete_organization_jit_email_domain`	Write `write`	Remove an email domain for just-in-time provisioning of users in the organization.
`logto.logto_delete_organization_jit_role`	Write `write`	Remove an organization role that will be assigned to users during just-in-time provisioning.
`logto.logto_delete_organization_jit_sso_connector`	Write `write`	Remove an enterprise SSO connector for just-in-time provisioning of users in the organization.
`logto.logto_delete_organization_role`	Write `write`	Delete organization role by ID.
`logto.logto_delete_organization_role_resource_scope`	Write `write`	Remove a resource scope assignment from the specified organization role.
`logto.logto_delete_organization_role_scope`	Write `write`	Remove a organization scope assignment from the specified organization role.
`logto.logto_delete_organization_scope`	Write `write`	Delete organization scope by ID.
`logto.logto_delete_organization_user`	Write `write`	Remove a user's membership from the specified organization.
`logto.logto_delete_organization_user_role`	Write `write`	Remove a role assignment from a user in the specified organization.
`logto.logto_delete_personal_access_token_post`	Write `write`	Delete a token for the user by name.
`logto.logto_delete_primary_email`	Write `write`	Delete primary email for the user, a logto-verification-id header is required for checking sensitive permissions. The request is rejected if it would remove the user's last identifier.
`logto.logto_delete_primary_phone`	Write `write`	Delete primary phone for the user, a logto-verification-id header is required for checking sensitive permissions. The request is rejected if it would remove the user's last identifier.
`logto.logto_delete_resource`	Write `write`	Delete an API resource by ID.
`logto.logto_delete_resource_scope`	Write `write`	Delete an API resource scope (permission) from the given resource.
`logto.logto_delete_role`	Write `write`	Delete a role with the given ID.
`logto.logto_delete_role_application`	Write `write`	Remove the role from an application with the given ID.
`logto.logto_delete_role_scope`	Write `write`	Unlink an API resource scope (permission) from a role with the given ID.
`logto.logto_delete_role_user`	Write `write`	Remove a role from a user with the given ID.
`logto.logto_delete_saml_application`	Write `write`	Delete a SAML application by ID.
`logto.logto_delete_saml_application_secret`	Write `write`	Delete a signing certificate of the SAML application. Active certificates cannot be deleted.
`logto.logto_delete_secret`	Write `write`	Delete a secret by its ID.
`logto.logto_delete_sentinel_activities`	Write `write`	Remove sentinel activity reports based on the provided target value(identifier).Use this endpoint to unblock users who may be locked out due to too many failed authentication attempts.
`logto.logto_delete_session_by_id`	Write `write`	Revoke a specific user session by its ID, optionally revoking target associated grants and tokens. A logto-verification-id in header is required for revoking sessions.
`logto.logto_delete_sso_connector`	Write `write`	Delete an SSO connector by ID.
`logto.logto_delete_user`	Write `write`	Delete user with the given ID. Note all associated data will be deleted cascadingly.
`logto.logto_delete_user_grant`	Write `write`	Revoke a specific grant and its associated token chain by grant ID. Also removes the matching session authorization entry for this grant from the related active session. The grant must belong to the user.
`logto.logto_delete_user_identity`	Write `write`	Delete a social identity from the user.
`logto.logto_delete_user_mfa_verification`	Write `write`	Delete an MFA verification for the user with the given verification ID. The verification ID must be associated with the given user ID.
`logto.logto_delete_user_personal_access_token`	Write `write`	Delete a token for the user by name using the legacy path parameter. Deprecated: use the POST /delete endpoint instead to avoid url name encoding issues.
`logto.logto_delete_user_role`	Write `write`	Remove an API resource role from the user.
`logto.logto_delete_user_session`	Write `write`	Revoke a specific user session by its ID, optionally revoking associated target grants and tokens.
`logto.logto_generate_backup_codes`	Write `write`	Create a new BackupCode verification record with new backup codes generated. This verification record will be used to bind the backup codes to the user's profile.
`logto.logto_generate_my_account_backup_codes`	Write `write`	Generate backup codes for the user.
`logto.logto_generate_totp_secret`	Write `write`	Generate a TOTP secret for the user.
`logto.logto_generate_web_authn_registration_options`	Write `write`	Generate WebAuthn registration options for the user to register a new WebAuthn device.
`logto.logto_get_account_center_settings`	Read `read`	Get the account center settings.
`logto.logto_get_active_user_counts`	Read `read`	Get active user data, including daily active user (DAU), weekly active user (WAU) and monthly active user (MAU). It also includes an array of DAU in the past 30 days.
`logto.logto_get_admin_console_config`	Read `read`	Get the global configuration object for Logto Console.
`logto.logto_get_application`	Read `read`	Get application details by ID.
`logto.logto_get_application_sign_in_experience`	Read `read`	Get application level sign-in experience for a given application. - Only branding properties and terms links customization is supported for now. - Only third-party applications can have the sign-in experience customization for now.
`logto.logto_get_backup_codes`	Read `read`	Get all backup codes for the user with their usage status. Requires identity verification.
`logto.logto_get_captcha_provider`	Read `read`	Get the captcha provider, you can only have one captcha provider.
`logto.logto_get_connector`	Read `read`	Get connector data by ID
`logto.logto_get_connector_factory`	Read `read`	Get connector factory by the given ID.
`logto.logto_get_custom_phrase`	Read `read`	Get custom phrases for the specified language tag.
`logto.logto_get_custom_profile_field_by_name`	Read `read`	Get a custom profile field by name.
`logto.logto_get_domain`	Read `read`	Get domain details by ID, by calling this API, the domain status will be synced from remote provider.
`logto.logto_get_email_template`	Read `read`	Get the email template by its ID.
`logto.logto_get_enabled_sso_connectors`	Read `read`	Extract the email domain from the provided email address. Returns all the enabled SSO connectors that match the email domain.
`logto.logto_get_enterprise_sso_identity_access_token`	Read `read`	This API retrieves the access token issued by a third-party enterprise SSO provider for a given SSO connector ID. Access is only available if token storage is enabled for the corresponding connector. When a user authenticates through a SSO provider, Logto automatically stores the provider's tokens in an encrypted form. You can use this API to securely retrieve the stored access token and use it to access third-party APIs on behalf of the user.
`logto.logto_get_grants`	Read `read`	Retrieve all active application grants for the user. A logto-verification-id in header is required for checking grant details.
`logto.logto_get_hasura_auth`	Read `read`	The `HASURA_GRAPHQL_AUTH_HOOK` endpoint for Hasura auth. Use this endpoint to integrate Hasura's [webhook authentication flow](https://hasura.io/docs/latest/auth/authentication/webhook/).
`logto.logto_get_hook`	Read `read`	Get hook details by ID.
`logto.logto_get_id_token_config`	Read `read`	Get the ID token extended claims configuration for the tenant. This configuration controls which extended claims (e.g., `custom_data`, `identities`, `roles`, `organizations`, `organization_roles`) are included in ID tokens.
`logto.logto_get_interaction`	Read `read`	Get the public interaction data.
`logto.logto_get_jwt_customizer`	Read `read`	Get the JWT customizer for the given token type.
`logto.logto_get_log`	Read `read`	Get log details by ID.
`logto.logto_get_logto_config`	Read `read`	Retrieve the exposed portion of the current user's logto config. This includes MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in binding states (skipped). Passkey is a WebAuthn MFA factor and shares the same account center field access control as MFA.
`logto.logto_get_mfa_settings`	Read `read`	Get MFA settings for the user. This endpoint requires the Identities scope. Returns current MFA configuration preferences.
`logto.logto_get_mfa_verifications`	Read `read`	Get MFA verifications for the user.
`logto.logto_get_new_user_counts`	Read `read`	Get new user count in the past 7 days.
`logto.logto_get_oidc_keys`	Read `read`	Get OIDC signing keys by key type. The actual key will be redacted from the result.
`logto.logto_get_oidc_session_config`	Read `read`	Get the OIDC session configuration for the tenant.
`logto.logto_get_one_time_token`	Read `read`	Get a one-time token by its ID.
`logto.logto_get_organization`	Read `read`	Get organization details by ID.
`logto.logto_get_organization_invitation`	Read `read`	Get an organization invitation by ID.
`logto.logto_get_organization_role`	Read `read`	Get organization role details by ID.
`logto.logto_get_organization_scope`	Read `read`	Get organization scope details by ID.
`logto.logto_get_profile`	Read `read`	Get profile for the user.
`logto.logto_get_resource`	Read `read`	Get an API resource details by ID.
`logto.logto_get_role`	Read `read`	Get role details by ID.
`logto.logto_get_saml_application`	Read `read`	Get SAML application details by ID.
`logto.logto_get_saml_application_callback`	Read `read`	Handle the OIDC callback for SAML application and generate SAML response.
`logto.logto_get_saml_authn`	Read `read`	Process SAML authentication request using HTTP Redirect binding.
`logto.logto_get_sessions`	Read `read`	Retrieve all non-expired sessions for the user, including session metadata and interaction details when available. A logto-verification-id in header is required for checking sensitive session details.
`logto.logto_get_sign_in_exp`	Read `read`	Get the default sign-in experience settings.
`logto.logto_get_sign_in_experience_config`	Read `read`	Get the full sign-in experience configuration.
`logto.logto_get_sign_in_experience_phrases`	Read `read`	Get localized phrases based on the specified language.
`logto.logto_get_social_identity_access_token`	Read `read`	This API retrieves the access token issued by a third-party social provider for a given social target. Access is only available if token storage is enabled for the corresponding social connector. When a user authenticates through a social provider, Logto automatically stores the provider's tokens in an encrypted form. You can use this API to securely retrieve the stored access token and use it to access third-party APIs on behalf of the user.
`logto.logto_get_sso_connector`	Read `read`	Get SSO connector data by ID. In addition to the raw SSO connector data, a copy of fetched or parsed IdP configs and a copy of connector provider's data will be attached.
`logto.logto_get_status`	Read `read`	The traditional health check API. No authentication needed. > Note > Even if 204 is returned, it does not guarantee all the APIs are working properly since they may depend on additional resources or external services.
`logto.logto_get_swagger_json`	Read `read`	The endpoint for the current JSON document. The JSON conforms to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger) specification.
`logto.logto_get_system_application_config`	Read `read`	Get the application constants.
`logto.logto_get_total_user_count`	Read `read`	Get total user count in the current tenant.
`logto.logto_get_user`	Read `read`	Get user data for the given ID.
`logto.logto_get_user_asset_service_status`	Read `read`	Get user assets service status.
`logto.logto_get_user_has_password`	Read `read`	Check if the user with the given ID has a password set.
`logto.logto_get_user_identity`	Read `read`	This API retrieves the social identity and its associated token set for the specified user from the Logto Secret Vault. The token set will only be available if token storage is enabled for the corresponding social connector.
`logto.logto_get_user_session`	Read `read`	Retrieve a non-expired session for the user by session ID, including session metadata and interaction details when available.
`logto.logto_get_user_sso_identity`	Read `read`	This API retrieves the user's enterprise SSO identity and associated token set record from the Logto Secret Vault. The token set will only be available if token storage is enabled for the corresponding SSO connector.
`logto.logto_get_well_known_account_center`	Read `read`	Get the default account center configuration.
`logto.logto_get_well_known_experience`	Read `read`	Get the full sign-in experience configuration.
`logto.logto_get_well_known_experience_openapi_json`	Read `read`	The endpoint for the Experience API JSON document. The JSON conforms to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger) specification.
`logto.logto_get_well_known_management_openapi_json`	Read `read`	The endpoint for the Management API JSON document. The JSON conforms to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger) specification.
`logto.logto_get_well_known_user_openapi_json`	Read `read`	The endpoint for the User API JSON document. The JSON conforms to the [OpenAPI v3.0.1](https://spec.openapis.org/oas/v3.0.1) (a.k.a. Swagger) specification.
`logto.logto_identify_user`	Write `write`	This API identifies the user based on the verificationId within the current experience interaction: - `SignIn` and `ForgotPassword` interactions: Verifies the user's identity using the provided `verificationId`. - `Register` interaction: Creates a new user account using the profile data from the current interaction. If a verificationId is provided, the profile data will first be updated with the verification record before creating the account. If not, the account is created directly from the sto
`logto.logto_init_interaction`	Write `write`	Init a new experience interaction with the given interaction type. Any existing interaction data will be cleared.
`logto.logto_list_application_organizations`	Read `read`	Get the list of organizations that an application is associated with.
`logto.logto_list_application_protected_app_metadata_custom_domains`	Read `read`	Get custom domains of the specified application, the application type should be protected app.
`logto.logto_list_application_roles`	Read `read`	Get API resource roles assigned to the specified application with pagination.
`logto.logto_list_application_secrets`	Read `read`	Get all the secrets for the application.
`logto.logto_list_application_user_consent_organizations`	Read `read`	List all the user consented organizations for a application by application id and user id.
`logto.logto_list_application_user_consent_scopes`	Read `read`	List all the user consent scopes of an application by application id
`logto.logto_list_applications`	Read `read`	Get applications that match the given query with pagination.
`logto.logto_list_connector_factories`	Read `read`	Get all connector factories data available in Logto.
`logto.logto_list_connectors`	Read `read`	Get all connectors in the current tenant.
`logto.logto_list_custom_phrases`	Read `read`	Get all custom phrases for all languages.
`logto.logto_list_custom_profile_fields`	Read `read`	Get all custom profile fields.
`logto.logto_list_domains`	Read `read`	Get all of your custom domains.
`logto.logto_list_email_templates`	Read `read`	Get the list of email templates.
`logto.logto_list_hook_recent_logs`	Read `read`	Get recent logs that match the given query for the specified hook with pagination.
`logto.logto_list_hooks`	Read `read`	Get a list of hooks with optional pagination.
`logto.logto_list_jwt_customizers`	Read `read`	Get all JWT customizers for the tenant.
`logto.logto_list_logs`	Read `read`	Get logs that match the given query with pagination.
`logto.logto_list_one_time_tokens`	Read `read`	Get a list of one-time tokens, filtering by email and status, with optional pagination.
`logto.logto_list_organization_application_roles`	Read `read`	Get roles associated with the application in the organization.
`logto.logto_list_organization_applications`	Read `read`	Get applications associated with the organization.
`logto.logto_list_organization_invitations`	Read `read`	Get organization invitations.
`logto.logto_list_organization_jit_email_domains`	Read `read`	Get email domains for just-in-time provisioning of users in the organization.
`logto.logto_list_organization_jit_roles`	Read `read`	Get organization roles that will be assigned to users during just-in-time provisioning.
`logto.logto_list_organization_jit_sso_connectors`	Read `read`	Get enterprise SSO connectors for just-in-time provisioning of users in the organization.
`logto.logto_list_organization_role_resource_scopes`	Read `read`	Get resource scopes that are assigned to the specified organization role with optional pagination.
`logto.logto_list_organization_role_scopes`	Read `read`	Get organization scopes that are assigned to the specified organization role with optional pagination.
`logto.logto_list_organization_roles`	Read `read`	Get organization roles with pagination.
`logto.logto_list_organization_scopes`	Read `read`	Get organization scopes that match with optional pagination.
`logto.logto_list_organization_user_roles`	Read `read`	Get roles assigned to a user in the specified organization with pagination.
`logto.logto_list_organization_user_scopes`	Read `read`	Get scopes assigned to a user in the specified organization tailored by the organization roles. The scopes are derived from the organization roles assigned to the user.
`logto.logto_list_organization_users`	Read `read`	Get users that are members of the specified organization for the given query with pagination.
`logto.logto_list_organizations`	Read `read`	Get organizations that match the given query with pagination.
`logto.logto_list_resource_scopes`	Read `read`	Get scopes (permissions) defined for an API resource.
`logto.logto_list_resources`	Read `read`	Get API resources in the current tenant with pagination.
`logto.logto_list_role_applications`	Read `read`	Get applications that have the role assigned with pagination.
`logto.logto_list_role_scopes`	Read `read`	Get API resource scopes (permissions) linked with a role.
`logto.logto_list_role_users`	Read `read`	Get users who have the role assigned with pagination.
`logto.logto_list_roles`	Read `read`	Get roles with filters and pagination.
`logto.logto_list_saml_application_metadata`	Read `read`	Get the SAML metadata XML for the application.
`logto.logto_list_saml_application_secrets`	Read `read`	Get all signing certificates of the SAML application.
`logto.logto_list_sso_connector_providers`	Read `read`	Get a complete list of supported SSO connector providers.
`logto.logto_list_sso_connectors`	Read `read`	Get SSO connectors with pagination. In addition to the raw SSO connector data, a copy of fetched or parsed IdP configs and a copy of connector provider's data will be attached.
`logto.logto_list_user_all_identities`	Read `read`	This API retrieves all identities (social and enterprise SSO) for a user, along with their associated token set records from the Logto Secret Vault. The token sets will only be available if token storage is enabled for the corresponding identity connector.
`logto.logto_list_user_custom_data`	Read `read`	Get custom data for the given user ID.
`logto.logto_list_user_grants`	Read `read`	Retrieve all non-expired grants of the user. Optionally filter by application type via `appType`; when omitted, grants from all application types are returned.
`logto.logto_list_user_logto_configs`	Read `read`	Retrieve the exposed portion of a user's logto config. Includes MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in states (skipped).
`logto.logto_list_user_mfa_verifications`	Read `read`	Get a user's existing MFA verifications for a given user ID.
`logto.logto_list_user_organizations`	Read `read`	Get all organizations that the user is a member of. In each organization object, the user's roles in that organization are included in the `organizationRoles` array.
`logto.logto_list_user_personal_access_tokens`	Read `read`	Get all personal access tokens for the user.
`logto.logto_list_user_roles`	Read `read`	Get API resource roles assigned to the user with pagination.
`logto.logto_list_user_sessions`	Read `read`	Retrieve all non-expired sessions for the user, including session metadata and interaction details when available.
`logto.logto_list_users`	Read `read`	Get users with filters and pagination. Logto provides a very flexible way to query users. You can filter users by almost any fields with multiple modes. To learn more about the query syntax, please refer to [Advanced user search](https://docs.logto.io/docs/recipes/manage-users/advanced-user-search/).
`logto.logto_mark_mfa_enabled`	Write `write`	Mark the user's MFA as enabled for the current interaction and persist in DB user configs upon successful submission.
`logto.logto_replace_application_roles`	Write `write`	Update API resource roles assigned to the specified application. This will replace the existing API resource roles.
`logto.logto_replace_application_sign_in_experience`	Write `write`	Update application level sign-in experience for the specified application. Create a new sign-in experience if it does not exist. - Only branding properties and terms links customization is supported for now. - Only third-party applications can be customized for now. - Application level sign-in experience customization is optional, if provided, it will override the default branding and terms links.
`logto.logto_replace_application_user_consent_organizations`	Write `write`	Grant a list of organization access of a user for a application by application id and user id. The user must be a member of all the organizations. Only third-party application needs to be granted access to organizations, all the other applications can request for all the organizations' access by default.
`logto.logto_replace_custom_phrase`	Write `write`	Upsert custom phrases for the specified language tag. Upsert means that if the custom phrases already exist, they will be updated. Otherwise, they will be created.
`logto.logto_replace_email_templates`	Write `write`	Create or replace a list of email templates. If an email template with the same language tag and template type already exists, its details will be updated.
`logto.logto_replace_one_time_token_status`	Write `write`	Update the status of a one-time token by its ID. This can be used to mark the token as consumed or expired.
`logto.logto_replace_organization_application_roles`	Write `write`	Replace all roles associated with the application in the organization with the given data.
`logto.logto_replace_organization_applications`	Write `write`	Replace all applications associated with the organization with the given data.
`logto.logto_replace_organization_invitation_status`	Write `write`	Update the status of an organization invitation by ID.
`logto.logto_replace_organization_jit_email_domains`	Write `write`	Replace all just-in-time provisioning email domains for the organization with the given data.
`logto.logto_replace_organization_jit_roles`	Write `write`	Replace all organization roles that will be assigned to users during just-in-time provisioning with the given data.
`logto.logto_replace_organization_jit_sso_connectors`	Write `write`	Replace all enterprise SSO connectors for just-in-time provisioning of users in the organization with the given data.
`logto.logto_replace_organization_role_resource_scopes`	Write `write`	Replace all resource scopes that are assigned to the specified organization role with the given resource scopes. This effectively removes all existing organization scope assignments and replaces them with the new ones.
`logto.logto_replace_organization_role_scopes`	Write `write`	Replace all organization scopes that are assigned to the specified organization role with the given organization scopes. This effectively removes all existing organization scope assignments and replaces them with the new ones.
`logto.logto_replace_organization_user_roles`	Write `write`	Update roles assigned to a user in the specified organization with the provided data.
`logto.logto_replace_organization_users`	Write `write`	Replace all user members for the specified organization with the given users. This effectively removing all existing user memberships in the organization and adding the new users as members.
`logto.logto_replace_user_identity`	Write `write`	Directly update a social identity of the user.
`logto.logto_replace_user_roles`	Write `write`	Update API resource roles assigned to the user. This will replace the existing roles.
`logto.logto_reset_user_password`	Write `write`	Reset the user's password. (`ForgotPassword` interaction only)
`logto.logto_rotate_oidc_keys`	Write `write`	A new key will be generated and prepend to the list of keys. Only two recent keys will be kept. The oldest key will be automatically removed if there are more than two keys.
`logto.logto_skip_mfa_binding_flow`	Write `write`	Skip MFA verification binding flow. If the MFA is enabled in the sign-in experience settings and marked as `UserControlled`, the user can skip the MFA verification binding flow by calling this API.
`logto.logto_skip_mfa_suggestion`	Write `write`	Mark the optional additional MFA binding suggestion as skipped for the current interaction. When multiple MFA factors are enabled and only an email/phone factor is configured, a suggestion to add another factor may be shown; this endpoint records the choice to skip.
`logto.logto_skip_passkey_binding`	Write `write`	Skip passkey binding flow. The users can temporarily skip the passkey binding flow by calling this API during sign-up. On sign-in, the skip flag will be persisted to user config.
`logto.logto_submit_interaction`	Write `write`	Submit the current interaction. - Submit the verified user identity to the OIDC provider for further authentication (SignIn and Register). - Update the user's profile data if any (SignIn and Register). - Reset the password and clear all the interaction records (ForgotPassword).
`logto.logto_test_jwt_customizer`	Write `write`	Test the JWT customizer script with the given sample context and sample token payload.
`logto.logto_update_account_center_settings`	Write `write`	Update the account center settings with the provided settings.
`logto.logto_update_admin_console_config`	Write `write`	Update the global configuration object for Logto Console. This method performs a partial update.
`logto.logto_update_application`	Write `write`	Update application details by ID with the given data.
`logto.logto_update_application_custom_data`	Write `write`	Update the custom data of an application.
`logto.logto_update_application_secret`	Write `write`	Update a secret for the application by name.
`logto.logto_update_captcha_provider`	Write `write`	Update the captcha provider with the provided settings.
`logto.logto_update_connector`	Write `write`	Update connector by ID with the given data. This methods performs a partial update.
`logto.logto_update_custom_profile_field_by_name`	Write `write`	Update a custom profile field by name.
`logto.logto_update_custom_profile_fields_sie_order`	Write `write`	Update the display order of the custom profile fields in Sign-in Experience.
`logto.logto_update_email_template_details`	Write `write`	Update the details of an email template by its ID.
`logto.logto_update_hook`	Write `write`	Update hook details by ID with the given data.
`logto.logto_update_hook_signing_key`	Write `write`	Update the signing key for the specified hook.
`logto.logto_update_interaction_event`	Write `write`	Update the current experience interaction event to the given event type. This API is used to switch the interaction event between `SignIn` and `Register`, while keeping all the verification records data.
`logto.logto_update_jwt_customizer`	Write `write`	Update the JWT customizer for the given token type.
`logto.logto_update_logto_config`	Write `write`	Update the exposed portion of the current user's logto config. Supports updating MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in binding states (skipped). Passkey is a WebAuthn MFA factor and shares the same account center field access control as MFA.
`logto.logto_update_mfa_settings`	Write `write`	Update MFA settings for the user. This endpoint requires identity verification and the Identities scope. Controls whether MFA verification is required during sign-in when the user has MFA configured.
`logto.logto_update_mfa_verification_name`	Write `write`	Update a MFA verification name, a logto-verification-id in header is required for checking sensitive permissions. Only WebAuthn is supported for now.
`logto.logto_update_oidc_session_config`	Write `write`	Update the OIDC session configuration for the tenant. This method performs a partial update. If the configuration does not exist, it will be created.
`logto.logto_update_organization`	Write `write`	Update organization details by ID with the given data.
`logto.logto_update_organization_role`	Write `write`	Update organization role details by ID with the given data.
`logto.logto_update_organization_scope`	Write `write`	Update organization scope details by ID with the given data.
`logto.logto_update_other_profile`	Write `write`	Update other profile for the user, only the fields that are passed in will be updated, to update the address, the user must have the address scope.
`logto.logto_update_password`	Write `write`	Update password for the user, a logto-verification-id in header is required for checking sensitive permissions.
`logto.logto_update_personal_access_token_name`	Write `write`	Update a token for the user by name.
`logto.logto_update_primary_email`	Write `write`	Update primary email for the user, a logto-verification-id in header is required for checking sensitive permissions, and a new identifier verification record is required for the new email ownership verification.
`logto.logto_update_primary_phone`	Write `write`	Update primary phone for the user, a logto-verification-id in header is required for checking sensitive permissions, and a new identifier verification record is required for the new phone ownership verification.
`logto.logto_update_profile`	Write `write`	Update profile for the user, only the fields that are passed in will be updated. Updating or deleting username requires a logto-verification-id header for checking sensitive permissions. Removing any sign-in identifier, including username, is rejected if it would remove the user's last identifier.
`logto.logto_update_resource`	Write `write`	Update an API resource details by ID with the given data. This method performs a partial update.
`logto.logto_update_resource_is_default`	Write `write`	Set an API resource as the default resource for the current tenant. Each tenant can have only one default API resource. If an API resource is set as default, the previously set default API resource will be set as non-default. See [this section](https://docs.logto.io/docs/references/resources/#default-api) for more information.
`logto.logto_update_resource_scope`	Write `write`	Update an API resource scope (permission) for the given resource. This method performs a partial update.
`logto.logto_update_role`	Write `write`	Update role details. This method performs a partial update.
`logto.logto_update_saml_application`	Write `write`	Update SAML application details by ID.
`logto.logto_update_saml_application_secret`	Write `write`	Update the status of a signing certificate.
`logto.logto_update_sign_in_exp`	Write `write`	Update the default sign-in experience settings with the provided data.
`logto.logto_update_social_identity_access_token_by_verification_id`	Write `write`	This API updates the token storage for a social identity by a given social verification ID. It is used to fetch a new access token from the social provider and store it securely in Logto.
`logto.logto_update_sso_connector`	Write `write`	Update an SSO connector by ID. This method performs a partial update.
`logto.logto_update_user`	Write `write`	Update user data for the given ID. This method performs a partial update.
`logto.logto_update_user_custom_data`	Write `write`	Update custom data for the given user ID. This method performs a partial update of the custom data object.
`logto.logto_update_user_is_suspended`	Write `write`	Update user suspension status for the given ID.
`logto.logto_update_user_logto_configs`	Write `write`	Update the exposed portion of a user's logto config. Supports updating MFA states (enabled, skipped, skipMfaOnSignIn) and passkey sign-in states (skipped). All fields are optional - only provided fields will be updated.
`logto.logto_update_user_password`	Write `write`	Update user password for the given ID.
`logto.logto_update_user_personal_access_token`	Write `write`	Update a token for the user by name using the legacy path parameter. Deprecated: use the PATCH /personal-access-tokens endpoint instead to avoid url name encoding issues.
`logto.logto_update_user_profile`	Write `write`	Update profile for the given user ID. This method performs a partial update of the profile object.
`logto.logto_upload_custom_ui_assets`	Write `write`	Upload a zip file containing custom web assets such as HTML, CSS, and JavaScript files, then replace the default sign-in experience with the custom UI assets.
`logto.logto_upsert_id_token_config`	Write `write`	Create or update the ID token extended claims configuration for the tenant. This controls which extended claims are included in ID tokens when the corresponding scopes are requested.
`logto.logto_upsert_jwt_customizer`	Write `write`	Create or update a JWT customizer for the given token type.
`logto.logto_verify_backup_code`	Write `write`	Create a new BackupCode verification record and verify the provided backup code against the user's backup codes. The verification record will be marked as verified if the code is correct.
`logto.logto_verify_enterprise_sso_verification`	Write `write`	Verify the SSO authorization response data and get the user's identity from the SSO provider.
`logto.logto_verify_mfa_verification_code`	Write `write`	Verify the provided MFA verification code. The verification code must have been sent using the MFA verification code endpoint. This endpoint verifies the code against the user's bound identifier and marks the verification as complete if successful.
`logto.logto_verify_one_time_token`	Write `write`	Verify a one-time token associated with an email address. If the token is valid and not expired, it will be marked as consumed.
`logto.logto_verify_one_time_token_verification`	Write `write`	Verify the provided one-time token against the user's email. If successful, the verification record will be marked as verified.
`logto.logto_verify_sign_in_passkey_authentication`	Write `write`	Verify the passkey sign-in WebAuthn authentication response against the stored authentication challenge. When `verificationId` is provided, it verifies against the challenge generated by the identifier-based authentication endpoint. When omitted, it verifies against the preflight authentication options stored in the interaction. Upon successful verification, the verification record will be marked as verified and the user will be resolved by the credential if not provided earlier.
`logto.logto_verify_social_verification`	Write `write`	Verify the social authorization response data and get the user's identity data from the social provider.
`logto.logto_verify_totp_verification`	Write `write`	Verifies the provided TOTP code against the new created TOTP secret or the existing TOTP secret. If a verificationId is provided, this API will verify the code against the TOTP secret that is associated with the verification record. Otherwise, a new TOTP verification record will be created and verified against the user's existing TOTP secret.
`logto.logto_verify_user_password`	Write `write`	Test if the given password matches the user's password.
`logto.logto_verify_verification_by_social`	Write `write`	Verify a social verification record by callback connector data, and save the user information to the record.
`logto.logto_verify_verification_by_verification_code`	Write `write`	Verify the provided verification code against the identifier. If successful, the verification record will be marked as verified.
`logto.logto_verify_verification_code`	Write `write`	Verify a verification code for a specified identifier. if you're using email as the identifier, you need to setup your email connector first. if you're using phone as the identifier, you need to setup your SMS connector first.
`logto.logto_verify_verification_code_verification`	Write `write`	Verify the provided verification code against the user's identifier. If successful, the verification record will be marked as verified.
`logto.logto_verify_web_authn_authentication_verification`	Write `write`	Verifies the WebAuthn authentication response against the user's authentication challenge. Upon successful verification, the verification record will be marked as verified.
`logto.logto_verify_web_authn_registration`	Write `write`	Verify the WebAuthn registration by the user's response.
`logto.logto_verify_web_authn_registration_verification`	Write `write`	Verify the WebAuthn registration response against the user's WebAuthn registration challenge. If the response is valid, the WebAuthn registration record will be marked as verified.