Skip to main content
Version: 1.x

Machine to Machine: Auth with Logto


This tutorial assumes you have created an Application of type "Machine to Machine" in Admin Console. If you are not ready, read this before continuing.


Machine to Machine (M2M) is a common practice to authenticate if you have an app that needs to directly talks to resources. E.g., an API service that updates users' custom data in Logto, a statistic service that pulls daily orders, etc.

Usually, an M2M app doesn't need user interactions, i.e., it has no UI.


Logto does not currently support the M2M app to represent a user. The sub of the Access Token will be the App ID.

Fetch an Access Tokenโ€‹

Locate the App ID and App Secretโ€‹

On the application details page, locate the App ID and App Secret.

App ID and App Secret

Accessing Logto Management APIโ€‹

If you want to use this app for accessing Management API, remember to turn on "Enable admin access" in the Advanced settings tab.

API identifier

Locate the API Resourceโ€‹

In the API Resource tab, find the API identifier that the app needs to access. If you haven't added the API Resource in Logto or don't know what API Resource is, see API Resource.

API identifier

Logto Management API is a built-in resource with the fixed identifier

Compose and send the requestโ€‹

Then compose them into a request (all mandatory):

  • Use Token Endpoint (https://your.logto.endpoint/oidc/token) as the request endpoint, and use POST as the method.
  • Set header Content-Type: application/x-www-form-urlencoded
  • Use Basic authentication, where username is the App ID, and password is the App Secret.
  • Carry the body data:
"grant_type": "client_credentials",
"resource": "https://shopping.api", // Replace with your API identitfier
"scope": "scope_1 scope_2" // Replace with your desired scope(s) if you're using RBAC

If you are using cURL:

curl --location \
--request POST 'https://your.logto.endpoint/oidc/token' \
--header 'Authorization: Basic eW91ci1hcHAtaWQ6eW91ci1hcHAtc2VjcmV0' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'resource=https://shopping.api' \
--data-urlencode 'scope=scope_1 scope_2'

Replace https://your.logto.endpoint with the Logto endpoint you are targeting. For Logto Cloud, it will be https://[tenant-id]

Token responseโ€‹

A successful response body would be like:

"access_token": "eyJhbG...2g", // Use this token for accessing the resource
"expires_in": 3600, // Token expiration in seconds
"token_type": "Bearer" // Auth type for your request when using the Access Token

Access resource using Access Tokenโ€‹

You may notice the token response has a token_type field, which it's fixed to Bearer. Thus you should put the Access Token in the Authorization field of HTTP headers with the Bearer format (Bearer YOUR_TOKEN).

For example, if you have requested an Access Token with the resource, to get all applications in Logto:

curl --location \
--request GET 'https://your.logto.endpoint/api/applications' \
--header 'Authorization: Bearer eyJhbG...2g' # Access Token

Replace https://your.logto.endpoint with the Logto endpoint you are targeting. For Logto Cloud, it will be https://[tenant-id]


If you are protecting your own API Resources other than Logto Management API, remember to implement the authentication in your resource. See Protect your API for details.