// the find
logto-io/logto
🧑🚀 Authentication and authorization infrastructure for SaaS and AI apps, built on OIDC and OAuth 2.1 with multi-tenancy, SSO, and RBAC.
Logto is a self-hostable OIDC/OAuth 2.1/SAML identity provider aimed at SaaS products that need multi-tenancy, enterprise SSO, and RBAC without building it themselves. It's the open-source alternative to Auth0 or Cognito — you run it, you own the data. Best fit for teams building B2B SaaS who've hit the wall on rolling their own auth.
- Protocol coverage is genuinely complete: OIDC, OAuth 2.1, SAML, TOTP, WebAuthn/passkeys, backup codes, passwordless — all there, not half-implemented. The changeset history shows these are actively maintained, not checkbox features.
- Multi-tenancy is first-class: organization-level RBAC, JIT provisioning, member invites — baked into the data model, not layered on top. Most auth systems treat orgs as an afterthought; this one was clearly designed for it.
- CI is serious: CodeQL analysis, OWASP ZAP pen tests (.zap/rules.conf in repo), integration test suite with its own Docker Compose, Codecov tracking. This isn't a 'ship and pray' project.
- 30+ SDK packages with real implementations (React, Next.js, Flutter, Go, Python) in a structured monorepo with changeset-based versioning — integrators aren't stuck parsing raw OIDC flows.
- MPL-2.0 is file-level copyleft. If you modify any Logto source file and distribute the product (even internally at some interpretations), you must publish those changes. Most teams adopting this don't read licenses carefully enough and get surprised.
- No official Helm chart or Kubernetes manifests in the OSS repo. Docker Compose works for dev; production self-hosting at any real scale requires you to figure out the infra yourself.
- There's a commercial cloud product sitting alongside the OSS version, and the boundary of what's OSS vs. cloud-gated isn't always obvious from the README. Some advanced organization features and audit log capabilities may push you toward their cloud pricing sooner than expected.
- The monorepo is enormous — dozens of pnpm workspace packages. Spinning up a local dev environment requires reading the contributing guide carefully; the Docker Compose path works but obscures what's actually running, making debugging non-trivial.