Manage users
Manage via Logto Console
Browse and search users
To access the user management functionality in the Logto Console, navigate to Console > User management. Once there, you will see a table view of all the users.
The table consists of three columns:
- User: It displays information about the user, such as their avatar, full name, username, phone number, and email
- From application: It displays the name of the application that the user initially registered with
- Latest sign-in: It displays the timestamp of the user's most recent sign-in.
It supports keyword mapping for name, id, username, primary-phone, primary-email.
Add users
Using the Console, developers can create new accounts for end-users. To do so, click on the "Add user" button in the screen's upper right corner.
When creating a user in the Logto Console or via the Management API (not end user self-registered via the UI), you must provide at least one identifier: primary email, primary phone, or username. The name field is optional.
After the user is created, Logto will automatically generate a random password. The initial password will only appear one time, but you can reset the password later. If you want to set a specific password, use the Management API patch /api/users/{userId}/password to update it after the user has been created.
You can copy the entered identifiers (email address / phone number / username) and initial password with one click, making it easy to share these credentials with the new user so they can sign in and get started.
If you want to implement invitation-only registration, we recommend inviting users with a magic link. This allows only whitelisted users to self-register and set their own password.
View and update the user profile
To view the details of a user, simply click on the corresponding row in the user table. This will take you to the "User Details" page where you can find the user's profile information, including:
- Authentication-related data:
- Email address (primary_email): Editable
- Phone number (primary_phone): Editable
- Username (username): Editable
- Password (has_password): You can regenerate a random password. Learn more about "Reset user password".
- Social connections (identities): View linked social accounts and social IDs. For example, if the user has signed in using their Facebook account, you will see a "Facebook" item in the list. You can remove a linked social identity in the Console. But you cannot link a new one on behalf of the end user.
- Enterprise SSO connections (sso_identities): View linked enterprise identities. You cannot add or remove SSO identities in the Console.
- Multi-factor authentication (mfa_verification_factor): View all authentication factors (e.g., passkeys, authenticator apps, backup codes) this user has set up. Factors can be removed in the Console.
- Personal access token: Create, view, rename, and delete personal access tokens.
- User profile data: name, avatar URL, custom data, and additional OpenID Connect standard claims that are not included. All these profile fields are editable.
It is important to confirm that the user has an alternative sign-in method before removing a social connection, such as another social connection, phone number, email, or username-with-password. If the user does not have any other sign-in method, they will not be able to access their account again once the social connection is removed.
View user activities
To view the recent activities of a user, navigate to the "User logs" sub-tab on the "User details" page. Here, you can find a table that displays the user's recent activities, including the action performed, the result of the action, the related application, and the time that the user acted.
Click the table row to see more details in the user log, e.g., IP address, user agent, raw data, etc.
Suspend user
On the "User details" page, click "Three dots" -> "Suspend user" button.
Once a user is suspended, the user will be unable to sign in to your app and won't be able to obtain a new access token after the current one expires. Additionally, any API requests made by this user will fail.
If you want to reactive this user, you can do so by clicking "Three dots" -> "Reactivate user" button.
Delete user
On the "User details" page, click "Three dots" -> "Delete" button. Delete user can not be undo.
Reset user password
On the "User details" page, click "Three dots" -> "Reset password" button, and then Logto will automatically regenerate a random password.
After you reset the password, copy and send it to the end-user. Once the "Reset password" modal is closed, you can no longer view the password. If you forget to keep it, you can reset it again.
You cannot set a specific password for users in the Logto Console, but you can use the Management API PATCH /api/users/{userId}/password to specify a password.
Manage roles of users
In the "Roles" tab of the user details page, you can easily assign or remove roles to meet your desired outcome. Check Role-based access control for details.
View the organizations the user belongs to
Logto supports organizations and can manage their members. You can easily view user details and see which organization they belong to.
Manage via Logto Management API
Management API is a collection of APIs that provide access to the Logto backend service. As previously mentioned, the user API is a critical component of this service and can support a wide range of scenarios.
The user-related RESTful APIs are mounted at /api/users except for the user activities, i.e., user logs /api/logs?userId=:userId.
You can manage users through the Management API in several use cases. Such as advanced user search, bulk creation accounts, invitation-only sign-up, etc.
FAQs
How to restrict access to certain applications for specific users?
Due to Logto's Omni-sign-in nature, it's not designed to restrict user access to certain applications before authentication. However, you can still design application specific user roles and permissions to protect your API resources, and validate permissions on API access upon successful user sign-in. Refer to Authorization: Role-based access control for more information.