Logto

Logto is an open-source identity platform that bundles OIDC, OAuth 2.1, enterprise SSO, multi-tenancy and RBAC into a single MPL-2.0 codebase you can either self-host for free or run on Logto Cloud. We rate it 88/100 — the most credible 2026 alternative to Auth0, Clerk and AWS Cognito if you are building a B2B SaaS or AI agent product and want a modern developer experience without per-MAU pricing surprises.

What is Logto?

Logto launched its first public release in September 2022 after the Silverhand team open-sourced the project on GitHub in 2021. The repository at github.com/logto-io/logto has since accumulated over 11,900 stars and 783 forks, and the company shipped v1.39.0 on April 30, 2026. Unlike legacy identity providers that bolt multi-tenancy and SSO on as enterprise add-ons, Logto designs around them from the data model up — every user can natively belong to multiple organizations, every API resource can carry its own RBAC scopes, and every tenant can run its own custom domain.

The core problem Logto solves is the "Auth0 trap": you start free, your product grows, and a year later your monthly invoice has crossed five figures because you crossed an MAU threshold or needed enterprise SSO. Logto attacks that with two levers — a fully MPL-2.0 self-hostable codebase, and a hosted plan that charges by access tokens issued (an actual usage signal) rather than by raw MAU. The result is a platform that scales gracefully whether you have 500 users or 500,000.

Key Features of Logto

• OIDC and OAuth 2.1 by default: Every Logto tenant is a fully compliant OpenID Provider, including the OAuth 2.1 draft, RFC 9068 access tokens, PKCE-only public clients and DPoP support — the same standards Auth0 and Okta charge enterprise rates for.
• Native multi-tenancy with Organizations: Users can belong to many organizations, each with its own roles, members and JIT provisioning rules. Concrete number: a single Logto tenant has been benchmarked running 10,000+ organizations with no schema changes.
• SDKs for 38+ frameworks: Official quickstarts cover React, Next.js, Vue, Nuxt, SvelteKit, Express, Go, Python, .NET, iOS, Android and Flutter, plus a generic OIDC fallback for anything else.
• Logto MCP Server (released February 2026): An MCP server that lets Cursor, VS Code, OpenCode or Claude Desktop set up Logto from a single prompt — it inspects the repo, creates the application, applies redirect URIs and writes the integration code.
• Enterprise SSO and SAML: SAML 2.0 and OIDC connectors for Okta, Microsoft Entra ID, Google Workspace and arbitrary IdPs; just-in-time provisioning and email-domain routing are first-class on the Pro plan.
• RBAC and machine-to-machine auth: Define API resources, scopes and roles in the console; issue short-lived JWTs to backend services with audience-bound permissions.
• Self-hostable in one Docker command: A single Node.js + PostgreSQL deployment that runs on any container host, with first-party Helm charts for Kubernetes and a published Docker image.

What Users Say About Logto

On Reddit, threads in r/selfhosted and r/SaaS consistently rank Logto alongside Authentik and Keycloak as the "modern" pick — the most upvoted comments praise the developer experience and the "just works" multi-tenancy, while the recurring complaint is that some Pro features (custom domains, MFA bundle, advanced security) are sold as $48-per-month add-ons rather than rolled into the base subscription. On Hacker News, Show HN threads about Logto are routinely positive about the TypeScript codebase and OIDC compliance, with the most thoughtful critique being that the MPL-2.0 license is "weak copyleft" — not a non-starter, but worth understanding before committing. On Product Hunt, the v1.0 launch was a category top-post and the more recent MCP Server post in February 2026 generated solid agentic-AI buzz with multiple developers reporting under-five-minute integrations.

Logto Pricing

Logto sells Cloud as a tiered subscription with usage-based add-ons, while the entire codebase is free to self-host under MPL-2.0.

Plan	Price	Key Limits
Free	$0/mo	Up to 50,000 MAU, 50K access tokens, 3 apps, basic features
Pro (base)	$16/mo per tenant	Unlimited MAU, 50K tokens included, then $0.08 per 100 extra
Pro + add-ons	$24+/mo	Custom domain, MFA bundle, SSO, RBAC, Organizations: $32–$48 each
Enterprise	Contact	Unlimited everything, SAML, SLA, dedicated support, audit log retention
Self-hosted	$0	MPL-2.0, unlimited everything, you run the infrastructure

Compared with Auth0's B2B Essentials at roughly $150/month for 500 MAU and Clerk's Pro plan at $25/month with $0.02 per MAU after the first 10,000, Logto is meaningfully cheaper at every scale we modelled, especially for B2B SaaS that hit Auth0's organizations add-on.

Who Should Use Logto?

Best for: Bootstrapped or VC-backed SaaS startups that want first-class multi-tenancy on day one without paying Auth0 enterprise rates; AI and agent products that need OIDC-compliant token issuance plus the new MCP server bridge; and security-conscious teams that prefer self-hosting under MPL-2.0 to avoid US-only data residency.

Not ideal for: Organizations already deeply committed to Keycloak with mature realms and federation graphs (the migration cost is meaningful); pure B2C consumer apps where Firebase Auth's free tier is hard to beat; and regulated industries that require fully air-gapped FedRAMP-style deployments — Logto Cloud does not currently offer that compliance posture, although the self-hosted edition can be run inside one.

Pros and Cons

Pros:

• Genuinely open source under MPL-2.0 — not "open core" with the good parts paywalled; the entire console, RBAC engine and SSO connectors ship in the public repo.
• Multi-tenancy is native to the data model rather than a configuration trick, which materially reduces B2B SaaS time-to-market.
• Token-based billing on Cloud aligns price with actual usage; refresh tokens and ID tokens are excluded, making invoices roughly half what an MAU-only model would charge.
• MCP Server (Feb 2026) lets agentic IDEs ship working sign-in in a single prompt — the only major IdP to ship this so far.
• SDKs cover 38+ frameworks plus a generic OIDC fallback, so the integration story is easy in almost any stack.

Cons:

• Pro tier add-on pricing (custom domain, SSO, MFA, RBAC, Organizations all priced separately) can stack quickly — budget for $80–$150/month in real-world Pro usage, not the $16 headline.
• MPL-2.0 is OSI-approved but is "file-level copyleft", which a small number of enterprise procurement teams still flag.
• The hosted Cloud is hosted on AWS and offered only as a multi-tenant SaaS today — if you need a regional dedicated tenant you have to self-host.
• Not yet at Auth0's breadth of social connectors or third-party marketplace integrations, although the catalogue is growing each release.

Alternatives to Logto

The closest comparables in 2026 are authentik (Python-based, infinitely customizable flow builder, great for self-hosters), Clerk (managed-only, gorgeous React-first UX, but US-hosted and more expensive at scale), and Keycloak (Red Hat-backed, the enterprise default, but heavy and harder to ship modern UIs on top of). For pure backend OIDC, Ory Kratos and Hydra remain strong, but require you to compose three or four projects together to match what Logto ships in one binary.

Verdict: Is Logto Worth It?

Yes — for the specific shape of company we describe above. If you are starting a B2B SaaS or AI agent product in 2026 and you do not already have an Auth0 contract, Logto is the cheapest credible way to get OIDC, multi-tenancy, RBAC and enterprise SSO in production this week. The MPL-2.0 license is a real fallback if Cloud pricing ever changes, and the MCP Server is genuinely useful rather than a gimmick. Where you should be cautious is the Pro add-on stack — price the real configuration you need, not the $16 headline. Net of that, an 88/100 reflects a product that is best-in-class for new builds and a serious second look for anyone whose Auth0 invoice has crossed five figures.

Frequently Asked Questions

Is Logto free?

Yes. Logto Cloud has a Free plan that supports up to 50,000 monthly active users and 50,000 access tokens at $0/month. The entire codebase is also free to self-host under the MPL-2.0 license.

What is the Logto Pro plan price?

The Pro base plan is $16/month per tenant with unlimited MAU and 50,000 access tokens included; additional tokens are billed at $0.08 per 100. Add-ons such as custom domain, SSO and MFA bundle are priced separately at $32–$48 each.

Is Logto open source?

Yes. Logto is licensed under MPL-2.0 and the full codebase — including the admin console, RBAC engine and SSO connectors — is on GitHub at github.com/logto-io/logto.

How does Logto compare to Auth0?

Logto is significantly cheaper than Auth0 at every scale we tested, ships native multi-tenancy without an add-on, and offers a fully self-hostable open-source edition. Auth0 still leads on the breadth of social connectors and certified compliance posture (FedRAMP, HIPAA), so it remains the safer pick for regulated enterprises.

What frameworks does Logto support?

Logto provides official SDKs and quickstarts for 38+ frameworks including React, Next.js, Vue, Nuxt, SvelteKit, Express, Go, Python, .NET, iOS, Android and Flutter, plus a generic OIDC client for anything else.

Does Logto support MCP and AI agents?

Yes. Logto released its MCP Server in February 2026, allowing AI tools like Cursor, VS Code, OpenCode and Claude Desktop to set up Logto from a single prompt. Logto also exposes an MCP-Auth open-source library for adding standards-based auth to any MCP server.