Logto

Setting	Value
Redirect URIs	Your application’s callback URL(s) (e.g., `https://yourapp.com/callback`)
Post sign-out redirect URIs	Where users land after logout
CORS allowed origins	Your application’s origin(s)

Note Your Application Credentials

From the application settings, copy:

App ID - Your application’s client ID
Endpoint - Your Logto endpoint (e.g., https://your-tenant.logto.app or your self-hosted URL)

For traditional web apps, also copy the App Secret for server-side token exchange.

Configure Char

In the Char Dashboard:

Navigate to Settings → Integration
Under SSO Configuration, select Custom OIDC as the provider
Enter your Issuer URL (your Logto endpoint, e.g., https://your-tenant.logto.app/oidc)
Enter your Client ID (App ID from Step 3)
Click Test Connection to verify
Click Save Changes

Configuration Reference

Char Field	Logto Value	Example
Provider Type	Custom OIDC	`oidc`
Issuer URL	Logto endpoint + `/oidc`	`https://your-tenant.logto.app/oidc`
Client ID	Application App ID	`abc123def456`

Logto’s OIDC issuer URL is your endpoint followed by /oidc. The JWKS endpoint is at {endpoint}/oidc/jwks and discovery at {endpoint}/oidc/.well-known/openid-configuration.

Using Upstream Identity Providers

If you’re using Logto with social connectors (Google, GitHub, etc.) or enterprise SSO, Logto acts as your identity layer. Char validates Logto’s tokens, not the upstream provider’s tokens.

Understanding Auth Platforms vs Direct IDPs

Learn how auth platforms like Logto issue their own tokens after upstream OAuth flows

Token Requirements

Char validates Logto ID tokens with these requirements:

Claim	Requirement
`iss`	Must match `{your-logto-endpoint}/oidc`
`aud`	Must include your configured App ID
`sub`	Required - used as the user identifier
`exp`	Must not be expired

Logto ID Token Claims

Logto ID tokens include standard OIDC claims based on requested scopes:

Scope	Claims Included
`openid`	`sub` (user ID), `iss`, `aud`, `exp`, `iat`
`profile`	`name`, `picture`, `username`
`email`	`email`, `email_verified`

Example ID token payload:

{
  "sub": "user_abc123",
  "iss": "https://your-tenant.logto.app/oidc",
  "aud": "your-app-id",
  "exp": 1742975822,
  "iat": 1742974022,
  "name": "John Doe",
  "email": "[email protected]",
  "email_verified": true
}

Example: Obtaining and Passing the Token

React (@logto/react)
Next.js App Router (@logto/next)
Browser SDK (@logto/browser)
Vue.js

import { LogtoProvider, useLogto } from "@logto/react";
import { useEffect, useRef } from "react";
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

// Configure the provider in your app root
const CLIENT_ID = "your-app-id";

const config = {
  endpoint: "https://your-tenant.logto.app",
  appId: CLIENT_ID,
};

function App() {
  return (
    <LogtoProvider config={config}>
      <Dashboard />
    </LogtoProvider>
  );
}

function Dashboard() {
  const { isAuthenticated, getIdTokenClaims } = useLogto();
  const agentRef = useRef<WebMCPAgentElement>(null);

  useEffect(() => {
    if (isAuthenticated && agentRef.current) {
      getIdTokenClaims().then((claims) => {
        if (claims?.__raw) {
          // Use connect() - keeps token out of DOM
          agentRef.current?.connect({ idToken: claims.__raw, clientId: CLIENT_ID });
        }
      });
    }
  }, [isAuthenticated, getIdTokenClaims]);

  return <char-agent ref={agentRef} />;
}

// app/logto.ts - Configuration
import { LogtoNextConfig } from "@logto/next";

export const logtoConfig: LogtoNextConfig = {
  appId: "your-app-id",
  appSecret: "your-app-secret",
  endpoint: "https://your-tenant.logto.app",
  baseUrl: "https://yourapp.com",
  cookieSecret: "complex_password_at_least_32_characters_long",
  cookieSecure: process.env.NODE_ENV === "production",
};

// app/dashboard/page.tsx
import { getLogtoContext } from "@logto/next/server-actions";
import { logtoConfig } from "../logto";
import { redirect } from "next/navigation";
import { CharAgent } from "./char-agent";

async function getTicketAuth(idToken: string) {
  const response = await fetch("https://api.usechar.ai/api/auth/ticket", {
    method: "POST",
    headers: {
      Authorization: `Bearer ${idToken}`,
      "Content-Type": "application/json",
    },
  });
  return response.json();
}

export default async function Dashboard() {
  const { isAuthenticated, claims } = await getLogtoContext(logtoConfig);

  if (!isAuthenticated || !claims) {
    redirect("/api/logto/sign-in");
  }

  // Get the raw ID token for ticket exchange
  const ticketAuth = await getTicketAuth(claims.__raw);

  return (
    <main>
      <CharAgent ticketAuth={ticketAuth} />
    </main>
  );
}

// app/dashboard/char-agent.tsx
"use client";
import { useEffect, useRef } from "react";
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement, TicketAuth } from "@mcp-b/char/web-component";

export function CharAgent({ ticketAuth }: { ticketAuth: TicketAuth }) {
  const agentRef = useRef<WebMCPAgentElement>(null);

  useEffect(() => {
    agentRef.current?.connect({ ticketAuth });
  }, [ticketAuth]);

  return <char-agent ref={agentRef} />;
}

This approach keeps your Logto JWT server-side. The ticket is opaque, single-use, and expires in 60 seconds. See SSR Authentication for details.

import LogtoClient from "@logto/browser";
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

const logtoClient = new LogtoClient({
  endpoint: "https://your-tenant.logto.app",
  appId: "your-app-id",
});

// After sign-in callback
async function handleCallback() {
  await logtoClient.handleSignInCallback(window.location.href);

  if (await logtoClient.isAuthenticated()) {
    const claims = await logtoClient.getIdTokenClaims();

    const agent = document.querySelector("char-agent") as WebMCPAgentElement
      ?? document.createElement("char-agent") as WebMCPAgentElement;

    if (!agent.isConnected) {
      document.body.appendChild(agent);
    }

    // Use connect() - keeps token out of DOM
    if (claims?.__raw) {
      agent.connect({ idToken: claims.__raw, clientId: "your-app-id" });
    }
  }
}

// Initiate sign-in
function signIn() {
  logtoClient.signIn("https://yourapp.com/callback");
}

<script setup lang="ts">
import { useLogto } from "@logto/vue";
import { ref, watchEffect } from "vue";
import "@mcp-b/char/web-component";
import type { WebMCPAgentElement } from "@mcp-b/char/web-component";

const { isAuthenticated, getIdTokenClaims } = useLogto();
const agentRef = ref<WebMCPAgentElement | null>(null);

watchEffect(async () => {
  if (isAuthenticated.value && agentRef.value) {
    const claims = await getIdTokenClaims();
    if (claims?.__raw) {
      agentRef.value.connect({ idToken: claims.__raw, clientId: "your-app-id" });
    }
  }
});
</script>

<template>
  <char-agent ref="agentRef" />
</template>

Which approach? Use Next.js SSR with Ticket if you want to keep Logto JWTs server-side (more secure). Use the React/Browser SDK if you have a client-side SPA.

Organizations and Multi-Tenancy

Logto supports multi-tenant applications with organizations:

// Request organization-scoped tokens
const config = {
  endpoint: "https://your-tenant.logto.app",
  appId: "your-app-id",
  scopes: ["openid", "profile", "email", "urn:logto:scope:organizations"],
};

Organization claims are included in tokens when users belong to organizations. See the organization token guide for details.

Custom Token Claims

Logto allows adding custom claims to tokens via the Console:

Go to API resources → Logto management API
Configure custom JWT claims in the Machine to machine section
Or use the Custom JWT feature for access tokens

Custom Token Claims

Learn how to add custom claims to Logto tokens

Troubleshooting

INVALID_ISSUER error

The token issuer doesn’t match your configured endpoint:

Verify the Issuer URL in Char includes /oidc suffix (e.g., https://your-tenant.logto.app/oidc)
Ensure you’re using the correct tenant URL
For self-hosted instances, verify your ENDPOINT configuration

INVALID_AUDIENCE error

The token’s aud claim doesn’t match your configured App ID:

Ensure the Client ID matches your Logto application’s App ID exactly
Verify you’re using the ID token (from getIdTokenClaims().__raw)
Check that the correct application is configured

JWKS_FETCH_FAILED error

Char couldn’t reach Logto’s JWKS endpoint:

Verify your Logto instance is accessible
Check that the endpoint URL is correct
For self-hosted: ensure /oidc/jwks is publicly accessible
Use Test Connection in the dashboard to verify

getIdTokenClaims returns undefined

If you can’t get the ID token claims:

Ensure the user has completed the sign-in flow
Check that openid scope is included (it’s included by default)
Verify your redirect URIs match your application settings

cookieSecret must be at least 32 characters

For Next.js SDK:

The cookieSecret in your config must be at least 32 characters
Generate a secure secret: openssl rand -base64 32

Logto Features

Logto offers additional features that complement Char integration:

Feature	Description
Multi-tenancy	Built-in organization support for B2B apps
Enterprise SSO	SAML and OIDC connections for enterprise customers
RBAC	Role-based access control with permissions
Social Login	30+ social connectors (Google, GitHub, etc.)
Passwordless	Email/SMS magic links and codes
MFA	TOTP and backup codes
Webhooks	Real-time event notifications
Audit Logs	Track authentication events

Logto Documentation

Explore the full Logto documentation

Self-Hosting Logto

Logto can be self-hosted using Docker:

# Quick start with Docker
docker run -d \
  -p 3001:3001 \
  -p 3002:3002 \
  -e ENDPOINT=https://auth.yourapp.com \
  ghcr.io/logto-io/logto

For production deployments, see the self-hosting guide.

Security Best Practices

Use HTTPS for all endpoints in production
Configure CORS to restrict allowed origins
Set appropriate token expiration times
Enable MFA for enhanced security
Review audit logs regularly for suspicious activity
Use organizations for proper tenant isolation in B2B apps

Introduction

Getting Started

How-to Guides

Explanation

Private Beta

Prerequisites

Quick Links

Logto Console

Logto Docs

React Quick Start

GitHub

SDK References

@logto/react

@logto/next

@logto/browser

@logto/vue

All Quick Starts

Configuration Steps

Configuration Reference

Using Upstream Identity Providers

Understanding Auth Platforms vs Direct IDPs

Token Requirements

Logto ID Token Claims

Example: Obtaining and Passing the Token

Organizations and Multi-Tenancy

Custom Token Claims

Custom Token Claims

Troubleshooting

Logto Features

Logto Documentation

Self-Hosting Logto

Security Best Practices

Introduction

Getting Started

How-to Guides

Explanation

Private Beta

​Prerequisites

​Quick Links

Logto Console

Logto Docs

React Quick Start

GitHub

​SDK References

@logto/react

@logto/next

@logto/browser

@logto/vue

All Quick Starts

​Configuration Steps

​Configuration Reference

​Using Upstream Identity Providers

Understanding Auth Platforms vs Direct IDPs

​Token Requirements

​Logto ID Token Claims

​Example: Obtaining and Passing the Token

​Organizations and Multi-Tenancy

​Custom Token Claims

Custom Token Claims

​Troubleshooting

​Logto Features

Logto Documentation

​Self-Hosting Logto

​Security Best Practices

Prerequisites

Quick Links

SDK References

Configuration Steps

Configuration Reference

Using Upstream Identity Providers

Token Requirements

Logto ID Token Claims

Example: Obtaining and Passing the Token

Organizations and Multi-Tenancy

Custom Token Claims

Troubleshooting

Logto Features

Self-Hosting Logto

Security Best Practices