Account settings by account API
What is Logto Account API
The Logto Account API is a comprehensive set of APIs that gives the end users direct API access without needing to go through the Management API, here is the highlights:
- Direct access: The Account API empowers end users to directly access and manage their own account profile without requiring the relay of Management API.
- User profile and identities management: Users can fully manage their profiles and security settings, including the ability to update identity information like email, phone, and password, as well as manage social connections. MFA and SSO support are coming soon.
- Global access control: Admin has full, global control over access settings, can customize each fields.
- Seamless authorization: Authorizing is easier than ever! Simply use
client.getAccessToken()
to obtain an opaque access token for OP (Logto), and attach it to the Authorization header asBearer <access_token>
.
With the Logto Account API, you can build a custom account management system like a profile page that is fully integrated with Logto.
Some frequently usage are listed below:
- Retrieve user profile
- Update user profile
- Update user password
- Update user identities including email, phone, and social connections
To learn more about the APIs that are available, please visit Logto Account API Reference and Logto Verification API Reference.
How to enable Account API
By default, the Account API is disabled. To enable it, you need to use the Management API to update the global settings.
The API endpoint /api/account-center
can be used to retrieve and update the account center settings, you can use it to enable or disable the Account API, and customize the fields.
Example request:
curl -X PATCH https://[tenant-id].logto.app/api/account-center \
-H 'authorization: Bearer <access_token for Logto Management API>' \
-H 'content-type: application/json' \
--data-raw '{"enabled":true,"fields":{"username":"Edit"}}'
The enabled
field is used to enable or disable the Account API, and the fields
field is used to customize the fields, the value can be Off
, Edit
, ReadOnly
. The default value is Off
. The list of fields:
name
: The name field.avatar
: The avatar field.profile
: The profile field, including its sub fields.username
: The username field.email
: The email field.phone
: The phone field.password
: The password field, when getting, it will returntrue
if the user has set a password, otherwisefalse
.social
: Social connections.
Learn more about the API details in Logto Management API Reference.
How to access Account API
Fetch an access token
After setting up the SDK in your application, you can use the client.getAccessToken()
method to fetch an access token. This token is an opaque token that can be used to access the Account API.
If you are not using the official SDK, you should set the resource
to empty for the access token grant request to /oidc/token
.
Access Account API using access token
You should put the access token in the Authorization
field of HTTP headers with the Bearer format (Bearer YOUR_TOKEN
) when you're interacting with the Account API.
And example to get the user account information:
curl https://[tenant-id].logto.app/api/my-account \
-H 'authorization: Bearer <access_token>'
Manage basic account information
Retrieve user account information
curl https://[tenant-id].logto.app/api/my-account \
-H 'authorization: Bearer <access_token>'
The response body would be like:
{
"id": "...",
"username": "...",
"name": "...",
"avatar": "..."
}
The response fields may vary depending on the account center settings.
Update basic account information
Basic account information includes the username, name, avatar, and profile.
To update username, name, and avatar, you can use the PATCH /api/my-account
endpoint.
curl -X PATCH https://[tenant-id].logto.app/api/my-account \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"username":"...","name":"...","avatar":"..."}'
To update profile, you can use the PATCH /api/my-account/profile
endpoint.
curl -X PATCH https://[tenant-id].logto.app/api/my-account/profile \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"familyName":"...","givenName":"..."}'
Manage identifiers and other sensitive information
For security reasons, the Account API requires another layer of authorization for the operations that involve identifiers and other sensitive information.
Get a verification record id
First, you need to get a verification record id, this can be used to verify the user's identity when updating identifiers.
To get a verification record id, you can verify the user's password or send a verification code to the user's email or phone.
Verify the user's password
curl -X POST https://[tenant-id].logto.app/api/verifications/password \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"password":"..."}'
The response body would be like:
{
"verificationRecordId": "...",
"expiresAt": "..."
}
Verify by sending a verification code to the user's email or phone
To use this method, you need to configure the email connector or SMS connector, and make sure the UserPermissionValidation
template is configured.
Take email as an example, request a new verification code and get the verification record id:
curl -X POST https://[tenant-id].logto.app/api/verifications/verification-code \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"identifier":{"type":"email","value":"..."}}'
The response body would be like:
{
"verificationRecordId": "...",
"expiresAt": "..."
}
Upon receiving the verification code, you can use it to update the verification status of the verification record.
curl -X PATCH https://[tenant-id].logto.app/api/verifications/verification-code/verify \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"identifier":{"type":"email","value":"..."},"verificationId":"...","code":"123456"}'
After verifying the code, you can now use the verification record id to update the user's identifier.
Send request with verification record id
When sending a request to update the user's identifier, you need to attach the verification record id to the request header with the logto-verification-id
field.
Update or link new email
To use this method, you need to configure the email connector, and make sure the BindNewIdentifier
template is configured.
To update or link a new email, you should first prove the ownership of the email.
Call the POST /api/verifications/verification-code
endpoint to request a verification code.
curl -X POST https://[tenant-id].logto.app/api/verifications/verification-code \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"identifier":{"type":"email","value":"..."}}'
You will find a verificationId
in the response, and receive a verification code in the email, use it to verify the email.
curl -X PATCH https://[tenant-id].logto.app/api/verifications/verification-code/verify \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"identifier":{"type":"email","value":"..."},"verificationId":"...","code":"..."}'
After verifying the code, you can now update the user's email, set the verificationId
to the request body as newIdentifierVerificationRecordId
.
curl -X PATCH https://[tenant-id].logto.app/api/my-account/primary-email \
-H 'authorization: Bearer <access_token>' \
-H 'logto-verification-id: <verification_record_id>' \
-H 'content-type: application/json' \
--data-raw '{"email":"...","newIdentifierVerificationRecordId":"..."}'
Remove the user's email
To remove the user's email, you can use the DELETE /api/my-account/primary-email
endpoint.
curl -X DELETE https://[tenant-id].logto.app/api/my-account/primary-email \
-H 'authorization: Bearer <access_token>' \
-H 'logto-verification-id: <verification_record_id>'
Manage phone
To use this method, you need to configure the SMS connector, and make sure the BindNewIdentifier
template is configured.
Similar to updating email, you can use the PATCH /api/my-account/primary-phone
endpoint to update or link a new phone. And use the DELETE /api/my-account/primary-phone
endpoint to remove the user's phone.
Link a new social connection
To link a new social connection, first you should request an authorization URL:
curl -X POST https://[tenant-id].logto.app/api/verifications/social \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"connectorId":"...","redirectUri":"...","state":"..."}'
connectorId
: The ID of the social connector.redirectUri
: The redirect URI after the user authorizes the application, you should host a web page at this URL and capture the callback.state
: The state to be returned after the user authorizes the application, it is a random string that is used to prevent CSRF attacks.
In the response, you will find a verificationRecordId
, keep it for later use.
After the user authorizes the application, you will receive a callback at the redirectUri
with the state
parameter. Then you can use the POST /api/verifications/social/verify
endpoint to verify the social connection.
curl -X POST https://[tenant-id].logto.app/api/verifications/social/verify \
-H 'authorization: Bearer <access_token>' \
-H 'content-type: application/json' \
--data-raw '{"connectorData":"...","verificationRecordId":"..."}'
The connectorData
is the data returned by the social connector after the user authorizes the application, you need to parse and get the query parameters from the redirectUri
in your callback page, and wrap them as a JSON as the value of the connectorData
field.
Finally, you can use the PATCH /api/my-account/identities
endpoint to link the social connection.
curl -X PATCH https://[tenant-id].logto.app/api/my-account/identities \
-H 'authorization: Bearer <access_token>' \
-H 'logto-verification-id: <verification_record_id>' \
-H 'content-type: application/json' \
--data-raw '{"newIdentifierVerificationRecordId":"..."}'
Remove a social connection
To remove a social connection, you can use the DELETE /api/my-account/identities
endpoint.
curl -X DELETE https://[tenant-id].logto.app/api/my-account/identities/[connector_target_id] \
-H 'authorization: Bearer <access_token>' \
-H 'logto-verification-id: <verification_record_id>'