Machine to Machine: Auth with Logto
This tutorial assumes you have created an Application of type "Machine to Machine" in Admin Console. If you are not ready, read this before continuing.
Introโ
Machine to Machine (M2M) is a common practice to authenticate if you have an app that needs to directly talks to resources. E.g., an API service that updates users' custom data in Logto, a statistic service that pulls daily orders, etc.
Usually, an M2M app doesn't need user interactions, i.e., it has no UI.
Logto does not currently support the M2M app to represent a user. The sub of the Access Token will be the App ID.
Fetch an Access Tokenโ
Locate the App ID and App Secretโ
On the application details page, locate the App ID and App Secret.
Accessing Logto Management APIโ
If you want to use this app for accessing Management API, remember to turn on "Enable admin access" in the Advanced settings tab.
Locate the API Resourceโ
In the API Resource tab, find the API identifier that the app needs to access. If you haven't added the API Resource in Logto or don't know what API Resource is, see API Resource.
Logto Management API is a built-in resource with the fixed identifier https://api.logto.io.
Compose and send the requestโ
Then compose them into a request (all mandatory):
- Use Token Endpoint (
https://your.logto.endpoint/oidc/token) as the request endpoint, and usePOSTas the method. - Set header
Content-Type: application/x-www-form-urlencoded - Use Basic authentication, where username is the App ID, and password is the App Secret.
- Carry the body data:
{
"grant_type": "client_credentials",
"resource": "https://shopping.api", // Replace with your API identitfier
"scope": "scope_1 scope_2" // Replace with your desired scope(s) if you're using RBAC
}
If you are using cURL:
curl --location \
--request POST 'https://your.logto.endpoint/oidc/token' \
--header 'Authorization: Basic eW91ci1hcHAtaWQ6eW91ci1hcHAtc2VjcmV0' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'resource=https://shopping.api' \
--data-urlencode 'scope=scope_1 scope_2'
Replace https://your.logto.endpoint with the Logto endpoint you are targeting. For Logto Cloud, it will be https://[tenant-id].logto.app.
Token responseโ
A successful response body would be like:
{
"access_token": "eyJhbG...2g", // Use this token for accessing the resource
"expires_in": 3600, // Token expiration in seconds
"token_type": "Bearer" // Auth type for your request when using the Access Token
}
Access resource using Access Tokenโ
You may notice the token response has a token_type field, which it's fixed to Bearer. Thus you should put the Access Token in the Authorization field of HTTP headers with the Bearer format (Bearer YOUR_TOKEN).
For example, if you have requested an Access Token with the resource https://api.logto.io, to get all applications in Logto:
curl --location \
--request GET 'https://your.logto.endpoint/api/applications' \
--header 'Authorization: Bearer eyJhbG...2g' # Access Token
Replace https://your.logto.endpoint with the Logto endpoint you are targeting. For Logto Cloud, it will be https://[tenant-id].logto.app.
Authenticationโ
If you are protecting your own API Resources other than Logto Management API, remember to implement the authentication in your resource. See Protect your API for details.