Today's Deep-Dive: Logto

Before we jump into the source material today

We really need to address this fundamental problem that honestly almost every

organization rustles with at some point

Yeah, the sheer cost and well the incredible complexity of secure logins, right?

Exactly

And that brings us to the supporter of today's deep dive safe server

Yeah, if you're building an app or you know managing an organization's digital

infrastructure right now

You are probably looking at these incredibly expensive proprietary authentication

tools. Oh, yeah things like author or

Microsoft entra Google Cloud identity is another big one, right and safe server

basically helps you implement really powerful open source

Alternatives to those massive, you know proprietary systems and why make the switch?

I mean beyond the massive cost savings, which is huge

It really comes down to data sovereignty, which is so critical these days

Exactly when you are dealing with legal and compliance requirements like strict

data protection email retention

Financial records and audit trails you really cannot afford to have your users

identity data

Just locked away in a vendor's black box. You need to own it, right and safe server

guys organizations through that entire process

Yeah from you know that initial consulting phase to figure out exactly what

architecture you actually need all the way to

Operating the open source software on highly secure servers located right within

the EU which solves a ton of headaches for compliance

Huge headaches you keep control you stay compliant and you stop paying that

ridiculous enterprise markup

You can find more information and get started at

www.safeserver.de

Because honestly

Outsourcing your core identity infrastructure to those proprietary giants

It's just a massive strategic risk and we are seeing a really significant industry

pivot toward reclaiming that control

Yeah, and speaking of risks if you're building an app today

You might have this like massive blind spot as you're probably focusing entirely on

human users, right?

People clicking buttons exactly but looking at the trajectory of modern networks

Non-human AI agents are well, they're likely going to outnumber human users in the

very near future

It's not even a question of if but when so true

So today we're diving into this whole stack of github repositories security white

papers and developer docs

centered around an open source authentication and

Authorization infrastructure called log toe log toe and our goal today is to really

analyze how modern applications are

Attempting to secure themselves for both human users and these you know AI agents

Yeah, and how they do it without forcing developers to become like full-blown cryptographers

because authentication remains

The absolute bane of every software developers existence. I mean, it's just a

nightmare. It really is. Why is that though?

Well, the friction really comes from the gap between user expectation and technical

reality

So a user opens an app they click a button and they just expect to be in right

compose that right?

But beneath that single click is this terrifying labyrinth of security protocols

Yeah

I want to look at the actual mechanics of that labyrinth because the documentation

we're looking at frequently cites these protocols

like OIDC, which is open ID connect and

Always 2.1. It's a big ones. Yeah, right

But why are these so painfully difficult for a standard product developer to just

implement from scratch?

I mean building an app and then having to build your own authentication system

It feels like I don't know like opening a local bakery

But then having to design and forge your own bank vault from scratch just to hold

the cash register

That is actually a perfect analogy because it comes down to the catastrophic cost

of a tiny mistake

You know OIDC handles the authentication part that basically verifying who the user

actually is

Okay, and then oh, I have two point one handles the authorization

So granting permissions to access certain data but without handing over the actual

password, right?

You don't want to just pass passwords around exactly. So when you use these

protocols, you aren't just sending a username back and forth

You are generating a cryptographically signed JSON web token or a JWT

Okay JWT and what happens if the developer, you know

Just writes the logic for that token incorrectly like a small typo or something

total compromise like absolute disaster

We really just from a small error. Oh, yeah

Let's say a developer accidentally configures their system to accept a token signed

with the wrong

Cryptographic algorithm like they confuse a symmetric key for an asymmetric one

Oh, wow, right a malicious actor can then forge their own digital pass

Rewrite the payload inside it to say hey

I'm the administrator and the system will just let them write in that is terrifying.

It is implementing these industry standard protocols from scratch

Requires like a really deep understanding of token life cycles key rotation

Cryptographic validation. It's not for beginners. So looking at the developer docs

here log toes primary value proposition seems to be just

You know removing that cryptographic burden entirely going back to the analogy

It acts as that pre-forged highly secure bank vault exactly developer just drops it

into their back end and log toe handles

All the OIDC and o with 2.1 token verification

Natively that is the core utility right there the developer doesn't have to write

the intricate logic to validate a web token

They can just focus on building their actual product rather than you know trying to

become an identity security expert overnight

Which is a huge relief right and from a front-end perspective the sources really

detail how this translates into the user experience, right?

Yeah, the visual side of it right log to provides these pre-built sign-in flows. So

you get passwordless entry via email or

SMS verification codes you have traditional passwords obviously and social sign-ins

like Google Apple or discord the ones everyone expects

Yeah, but the feature that really stands out to me in the documentation is this

multi app omni sign-in experience

Oh, that is huge. That solves a major psychological friction point for users. How

so well imagine an

Organization that has like a web dashboard a mobile app and maybe the community

forum

Normally a user might navigate between those platforms and encounter three

completely different login screens

Oh, I hate that right because that inconsistency breeds suspicion users wonder if

they've stumbled onto a phishing site or something

Oh, okay. Yeah, that makes total sense

Yeah

So with the omni sign-in approach the login screen just looks native and consistent

no matter where the user encounters it exactly

It's one centralized sign-in flow for every single application in that ecosystem

Okay, but I want to push back on this omni sign-in idea for a second just based on

the enterprise use cases mentioned in the sources

Okay, let's hear it having one unified login screen sounds really great for the

software provider, right?

Yeah, but what if that software provider grows and lands this massive corporate

client?

Ah the b2b scaling problem, right if I am a large corporation renting space on this

platform

I do not want my employees seeing a generic log to a screen. I want my own

corporate branding

There's a system like this force a universal look or does it you know allow for?

Customization at the client level that is a critical distinction to make and the

documentation actually specifically addresses this through a concept called

Multi-tenancy multi-tenancy. Yeah log tow does not force a universal look on

corporate clients

It is built from the ground up to support business to business or b2b scaling

Okay, let's unpack the mechanics of that

How does multi-tenancy actually isolate one client from another think of the

application as a large?

Apartment building when you have individual consumer users. They each basically get

a small isolated apartment

Okay makes sense, but when you land a corporate client, let's call them business a

they don't just want one apartment

They want to rent an entire floor, right?

They have a whole team exactly and they want the master keys to manage all the

individual rooms on that floor

So log toe allows developers to create distinct organizations or tenants within the

app

Business a gets its own isolated tenant environment. So they get their own branding

their own user grouping

Yep, and most importantly strict data isolation from business B on the floor right

below them. Got it

So business a is database queries cannot accidentally like bleed over and expose

business B's user data

Precisely, that would be a massive compliance failure and within that isolated

floor. The corporate client also needs our BAC our BAC

Which is role-based access control, right? Right? And this is another one of those

enterprise grade features

That's just native to lock toe. So under the hood

How does our BAC actually restrict someone is it literally just a list of names on

a server? No

It's much more robust than that our BAC

Attaches specific permissions to roles and then assigns those roles to users via

claims in their actual identity token

Okay, so like a tag on their ID badge basically

So an intern receives a token with say a read-only claim while a manager receives a

token with a write and delete claim

When that intern tries to delete a database the application checks the token

Sees the missing permission and just blocks the action at the protocol level. That's

incredibly secure

It is and lock toe manages all of this logic

Allowing the corporate client to set strict rules without the software developer

having to manually code

You know permission checks for every single user Wow and the sources also highlight

enterprise SSO

So single sign-on as the sort of holy grail of b2b software. We are talking about

integrations with

semel

Entra or Okta

Why do large corporations mandate this so strictly it is entirely about?

Compliance and the IT department's ability to maintain a single kill switch a kill

switch

Yeah, if a corporation has like 5,000 employees the IT department cannot manage

5,000 separate accounts across 50 different software platforms. It's impossible.

Yeah, that would be a nightmare

So they want one centralized identity provider like Okta when an employee leaves

the company IT just disables their Okta account

Once oh and that instantly revokes their access to every single app they used

including yours

Exactly log toe allows developers to plug directly into these enterprise identity

providers

Satisfying those corporate compliance requirements right out of the box. Okay, but

normally

Providing features like SAML integration and multi-tenancy that requires enterprise

level pricing

But analyzing log toes pricing model here reveals a really interesting strategy the

first

50,000 monthly active users are completely free which is wild

It functions as this massive safety net for growing startup by eliminating the

upfront cost for those enterprise features

Developers can architect their platform for B2B scale from day one

Rather than you know trying to duct tape multi-tenancy onto a consumer app three

years down the line when they finally land a big contract

Yeah, buck taping enterprise features is never a good idea never now the

documentation makes a really sharp pivot here

Moving away from human users entirely and this brings us back to that blind spot

We mentioned at the start of the show the AI agents. Yes

How does an authentication system handle the paradigm shift of the AI era?

I mean we're scripts microservices and AI models need to securely access data

Because if our BAC is like giving different employees different colored key cards

How do we give a key card to a robot assistant who needs to do tasks on our behalf?

This is where identity infrastructure is currently undergoing a massive evolution

historically, you know authentication required a screen a keyboard and human eyes

to solve a KPT CHA or

Read an SMS code right click all the squares of the crosswalk

Exactly, but AI agents do not have eyes or smartphones

So Logto is engineering identity for these non-human entities through machine to

machine or M2M authentication

And the documentation

Mentions the model context protocol or MCP in this specific context. What role does

that play?

So MCP is this emerging standard designed to securely connect AI models to external

tools and private data sources

Right

If you deploy an AI assistant and ask it to summarize say a highly confidential

financial report from your private database

That AI needs a way to cryptographically prove to the database that it actually has

the authority to read that file and Logto handles that

Right Logto natively supports the protocols required for those secure automated

handshakes and the mechanism they use for this is called

Personal access tokens or BATs

How do these differ from a standard login token?

Think of it this way a standard login is like presenting your passport at a border

crossing, right?

The guard has to look at your face to verify. It's really you a personal access

token is more like a diplomatic pouch

It skips the face check entirely, but it is strictly limited in scope. You generate

a PT specifically for your automated pipeline

It provides clean programmatic access without any messy login screens

And I assume the major security benefit there is revocation like if the script goes

rogue or the token is leaked somehow

You don't have to change a master password for the whole system

Exactly. You just instantly revoke that specific diplomatic pouch and the AI agent

loses access immediately

That is the exact security posture you need for modern micro services. It isolates

the risk completely

There is another feature detailed in the sources that sort of bridges this gap

between human support and secure access and it's called

impersonation the

Documentation describes this as a way for customer support teams to log in as an

end customer

Yeah, this is a tricky one right because initially that sounds like a massive

security vulnerability

How does a system allow an employee to inhabit a user's account without you know

exposing the users password?

It uses an audit logged temporary session token. Okay, break that down for me

So when a user reports a broken dashboard the support representative doesn't ask

for their password

They never see the password

Instead the rep uses their own high-level admin credentials to request an impersonation

token from Logto

Okay, and then the system generates a temporary highly restricted session that

basically mirrors the users view and crucially

Every single action the support rep takes while impersonating that user is

permanently logged in the audit trail

Oh under the support reps name not the users exactly it provides the visibility

needed for troubleshooting

While maintaining perfect cryptographic accountability that is brilliant

Okay, so we're looking at an impressive list of capabilities here multi-tenancy

machine-to-machine tokens support impersonation

But the practical reality for developer is you know implementation right building

the thing

Yeah

if Logto is open source

Does a developer just download a massive repository of complex code from github and

just hope they can compile it without breaking their servers

Well, the open-source ecosystem has thankfully evolved significantly past that

point

Logto has really mitigated the integration friction by providing these pre-built

software development kits or SDKs

For over 30 different frameworks 30 Wow

Yeah

So whether a team is building the front end in reactor view and the back end in

Python go iOS Android node

There's a native SDK designed to just handle the API calls to Logto

Effortlessly and the developer experience detailed in the launch options is also

really revealing

They highlight a git pod launch option alongside a local Docker compose setup for

someone new to this

Why would a developer choose one over the other it really comes down to environment

variables and speed a local Docker?

Environment requires you to actually download the containers and run them on your

own machine, which takes time, right?

It is highly reproducible

But it relies on your local hardware git pod on the other hand spins up the entire

open source environment in the cloud instantly

Oh, so you don't install anything locally. No a developer can click a link

completely bypass all local configuration issues and

Just start testing the authentication flows in their browser within seconds that

speed of deployment is impressive, but

We have to analyze the actual defensive architecture here if we return to that bank

vault analogy

We really need to know how thick the walls are absolutely because open source code

is inherently transparent, right?

Which means hackers can study it just as easily as developers

Well transparency is actually a defensive advantage in cryptography because it

allows

Thousands of independent security researchers to audit the code. They find the bugs

before the bad guys do that's true

But beyond the code itself log toe undergoes rigorous institutional auditing

They are soc2 type 2 certified. Okay. What does that certification actually entail?

It's just like a security checklist a company fills out once a year and says we're

good

Not at all. So c2 type I is a checklist that proves you have security policies in

place on a specific day

so c2 type 2 is a grueling continuous audit an

Independent auditor basically monitors the company's operational practices over an

extended period often six months to a year

Wow, just watching everything they do everything to prove that they actually follow

their strict security privacy and data access procedures every single day

Achieving it is incredibly difficult for a startup to do alone. Okay, that gives a

lot of confidence

Yeah, and delving into the actual cryptography the white papers specify that log to

uses argon 2 for password hashing

Yep, argon 2. How does argon 2 protect a database if it actually gets stolen?

Well when a secure system saves a password it never saves the plain text obviously

it runs the password through a mathematical hash function to create

Scramble text right if a hacker steals the database. They usually deploy massive

arrays of graphics processing units GPUs to guess

Millions of passwords a second just hoping to find the text that matches the hash

root force

Exactly. Yeah, argon 2 is designed to defeat this specific hardware attack

How does it bottle like a GPU though like GPUs are incredibly fast

They are but argon 2 defeats them by utilizing memory hard functions

See GPUs have thousands of processing cores allowing them to calculate incredibly

fast, but they have very little local memory

Right argon 2 forces the hashing process to consume a massive amount of RAM

By demanding memory rather than just processing speed argon 2 starves the GPU

Slowing the hackers brute-force attack to an absolute crawl. That is so clever

It essentially turns the attackers own hardware architecture against them

Exactly and for organizations that want to eliminate passwords entirely the

documentation also highlights support for a web often

Which is the underlying technology for paskies right paskies are everywhere now

because web often represents the gold standard for multi-factor authentication

Instead of relying on a shared secret like a password it uses public key cryptography

tied to the biometric sensors on your actual device

Okay, wait, so when I use my fingerprint or face ID to log in my biometric data isn't

being sent to log toe server

Correct. Your biometric data never ever leaves the secure on play of your phone or

laptop. Oh, thank goodness. Yeah

Your device uses that biometric check locally to unlock a private cryptographic key

Which then signs a challenge sent by the server the server only holds the public

key which is useless to a hacker

So even if the server is compromised, they don't have your face or fingerprint

exactly it fundamentally eliminates the risk of phishing and credential stuffing

The final aspect of the architecture detailed in the sources really brings us back

to the deployment models

While log to is open source and can be self hosted

They also offer a fully managed log to cloud version right for teams that don't

want to manage servers and this highlights a critical

Geographical feature regarding data isolation across distinct regions, right?

Yes, and this is a vital component of international compliance log to cloud

operates environments in the EU the US

Australia and Japan

Meaning a European company can ensure their users identity data literally never

crosses the Atlantic never it stays in Europe

Fully encrypted at the database level with TLS encryption securing the data while

it is in transit

It allows an organization to really leverage the transparency and flexibility of an

open source architecture

While still meeting the rigorous data sovereignty demands of an enterprise

environment exactly

However, it is important to note that maintaining self-hosted identity

infrastructure does require

Dedicated engineering resources to manage updates and security patches right? You

can't just set it and forget it

No log toe removes the cryptographic complexity, but the infrastructure still

demands operational diligence

Synthesizing the source material here log toe presents a genuinely compelling

approach to modern identity management

It essentially democratizes access to enterprise-grade security tools

It really does developers are handed this pre-built cryptographic vault that scales

from you know

A simple consumer app all the way to a massive multi-tenant b2b platform with

single sign on and most importantly

It bridges the gap into the AI frontier providing the machine to machine protocols

necessary to secure non-human agents

Which is huge. What's the broader implication for the industry in your view?

I think the broader implication is that developers no longer have to compromise

between speed-to-market

Operational cost and deep security they can finally just rely on vetted

infrastructure as we conclude this analysis

I want to leave you with a provocative thought regarding that AI frontier

We established that autonomous scripts AI models and micro services will soon

completely dominate network traffic

No doubt about it. So when a network is populated almost entirely by non-human

agents performing automated tasks

How will our foundational definition of digital identity have to evolve?

Will the security frameworks of tomorrow have to assess not just the cryptographic

signature of an AI?

But the behavioral intent of its actions

Honestly, that is the defining security question for the next decade of

decentralized computing as you navigate that rapidly changing landscape

You really don't have to be tethered to the expensive proprietary giants of the

past and that brings us back to our sponsor safe server

by transitioning to a robust open-source solution like log tow

Organizations businesses and associations gain incredible cost savings while

permanently escaping vendor lock-in, which is the dream, right?

Whether your priority is strict data protection

establishing immutable audit trails or simply retaining absolute sovereignty over

your user data

Safe server is equipped to facilitate that entire transition

You can commission them for specialized consulting to determine if log tow or you

know

Another open-source alternative is the exact right architectural fit for your

organization's specific needs

From that very first strategy conversation the full-scale operation on highly

secure servers right within the EU

They manage the complexity so you can just focus on your core product visit

www.safeserver.de to explore your options the next time you seamlessly log into an

application take a moment to appreciate the immense invisible

to build it yourself. Thanks for joining us on this deep dive

to build it yourself. Thanks for joining us on this deep dive