Logto
Last verified 2026-05-30 · Reviewed by guptadeepak
Editorial verdict
Logto is the modern OSS CIAM with the most aggressive pricing in 2026, MPL-2.0 self-hosted Community at any scale, Cloud free tier covering 5k MAU, and paid plans starting at $16/month. Connector-based pluggable architecture and clean TypeScript SDKs make it competitive on DX. The trade-off is narrower compliance and smaller community than Keycloak; for cost-sensitive greenfield projects, Logto is one of the strongest picks.
Last verified by @guptadeepak on 2026-05-30.
At a glance
- Best for
- Cost-sensitive teams that want both OSS self-host and managed cloud from one product
- Pricing
- tiered-mau
- Free tier
- 5,000 MAU
- Deployment
- cloud-saas, self-hosted
- SOC 2 Type II
- Yes
- Passkeys
- Native
- Self-host
- Yes
- Open source
- No
Funding & business
- Funding model
- Venture-backed
- Total raised
- $4.6M
- Latest round
- Seed · $2.5M · 2022
- Years in business
- 5 yrs
- Profitable
- Not disclosed
Open-source CIAM by Silverhand Inc.; two seed rounds totalling ~$4.6M (2021-2022).
Funding data from primary source. See also the CIAM investor landscape.
Strengths
- Most aggressive OSS pricing in the index, free tier on Cloud + MPL-2.0 self-hosted Community at any scale.
- Pluggable Connector model, auth providers (Google, GitHub, Apple, custom OAuth/SAML) added incrementally without monolithic configuration.
- Modern TypeScript codebase with clean SDK ergonomics across major frameworks.
- B2B Organizations and multi-tenancy as core data primitives, not bolt-ons.
Limitations
- Smaller community than Keycloak, FusionAuth, or Ory.
- Compliance footprint on Cloud is narrow, SOC 2 Type II only.
- No native FGA, no adaptive MFA, no managed bot defense.
- MPL-2.0 licensing is less permissive than Apache 2.0; some procurement teams flag the copyleft clauses.
Capability matrix
Every vendor scored on the same axes. See the methodology for criteria.
| Password authentication | Yes |
|---|---|
| Social login | Yes |
| Magic links | Yes |
| SMS OTP | Yes |
| Email OTP | Yes |
| TOTP (authenticator app) | Yes |
| Push MFA | No |
| WebAuthn / passkeys | Yes |
| Biometric | Yes |
| Hardware security keys | Yes |
| SAML SSO | Yes |
| OIDC SSO | Yes |
| OAuth 2.0 SSO | Yes |
| Enterprise federation | Yes |
| Passwordless-only flows | Yes |
| Adaptive MFA | No |
| Step-up auth | Yes |
| RBAC | Yes |
|---|---|
| ABAC | Partial |
| ReBAC | No |
| FGA engine | No |
| API authorization | Yes |
| Fine-grained permissions | Yes |
| Self-service registration | Yes |
|---|---|
| Progressive profiling | Partial |
| Self-service account | Yes |
| Bulk user import | Yes |
| Admin user search | Yes |
| Custom user metadata | Yes |
| Organizations / tenants | Yes |
| Multi-tenancy | Yes |
| REST API | Yes |
|---|---|
| GraphQL API | No |
| SDKs | js, node, react, next, vue, python, go, php, dotnet, swift, android, kotlin |
| CLI | Yes |
| Terraform provider | No |
| Local emulator | Yes |
| Extension model | Webhooks + custom JWT claims + Connectors (auth provider plugins) |
| Bot detection | No |
|---|---|
| Breached password detection | Yes |
| Brute-force protection | Yes |
| Anomaly detection | No |
| Log streams | Partial |
| Audit logs | Yes |
| GDPR data export | Yes |
| PII minimization | Yes |
| Post-quantum roadmap | No |
| MCP support | No |
|---|---|
| OAuth 2.1 | Yes |
| Dynamic client registration | Yes |
| Agent vs human token separation | No |
| Web Bot Auth | No |
| SOC 2 Type II | Yes |
|---|---|
| ISO 27001 | No |
| ISO 27018 | No |
| HIPAA | No |
| PCI DSS | No |
| GDPR | Yes |
| CCPA | Yes |
| FedRAMP | No |
| EU data residency | Yes |
| Consent management | Partial |
|---|---|
| Preference center | Partial |
| Purpose-specific consent | No |
| Integrates with CMPs | n/a |
Pricing
| 10,000 MAU | $16/mo |
|---|---|
| 100,000 MAU | $200/mo |
| 500,000 MAU | $800/mo |
| 1,000,000 MAU | $1,600/mo |
- Self-hosted Community is MPL-2.0 licensed, free at any scale
- Logto Cloud free tier covers 5k MAU; paid plans start at $16/month
- Connectors (auth provider integrations) are pluggable; pay only for what you deploy
Estimates use the standard assumptions in our methodology. Always confirm with the vendor.
Best for
- Cost-sensitive teams that want both OSS self-host and managed cloud from one product
- B2C and B2B SaaS at low-to-mid MAU prioritizing predictable economics
- Greenfield projects that want clean SDK ergonomics in TypeScript-heavy stacks
Not for
- Workloads requiring HIPAA, FedRAMP, ISO 27001, or PCI DSS
- Mid-large enterprise federation requirements
- Procurement environments requiring strict Apache-2.0-only licensing
FAQ
- What is Logto's MPL-2.0 license?
- Mozilla Public License 2.0, a weak copyleft license allowing self-hosted use, modification, and commercial deployment. Modifications to Logto itself must be released under MPL-2.0 if redistributed; the license does not require open-sourcing applications that use Logto. For most procurement teams this is functionally equivalent to permissive OSS; for strict Apache-2.0-only environments, it requires legal review.
- How does Logto compare to Zitadel?
- Both are modern OSS B2B-friendly CIAM with managed and self-hosted options. Logto is more aggressively priced and has TypeScript-heavy DX; Zitadel is more mature with stronger B2B Organizations and Swiss data residency. For early-stage cost sensitivity, Logto; for mid-stage B2B SaaS with sovereignty needs, Zitadel.
- Does Logto have B2B Organizations?
- Yes, Organizations are a core data primitive supporting multi-tenancy, role hierarchies, and per-org settings. The implementation is competitive with Zitadel and Authentik for B2B SaaS, though less mature than dedicated B2B products like WorkOS or Frontegg.
Sources
- Logto Pricingaccessed 2026-04-22
- Logto Documentationaccessed 2026-04-22
- Logto GitHubaccessed 2026-04-22
What Logto is
Logto launched in 2021 as a modern open-source CIAM with TypeScript-first DX, Connector-based pluggable architecture (auth providers compose as separate modules), and aggressive pricing on both self-hosted and managed deployments. The product covers B2C consumer flows, B2B Organizations, and basic enterprise SSO from one codebase.
Where Logto wins
Aggressive pricing, MPL-2.0 self-hosted at any scale, Cloud free up to 5k MAU, paid plans from $16/month. Connector-based architecture means each auth provider integration is a separate module that pays only when used. Modern TypeScript codebase delivers clean SDK ergonomics.
Where Logto hurts
Smaller community than Keycloak / FusionAuth / Ory. Compliance footprint on Cloud is narrow (SOC 2 only). MPL-2.0 licensing requires legal review at strict-OSS environments. No native FGA, no adaptive MFA, no bot defense.
How Logto compares
The closest comparisons are Logto vs Zitadel, Logto vs FusionAuth, and Auth0 vs Logto. For broader OSS without managed-cloud, Keycloak, Authentik, and Ory are the alternatives.
Go deeper: Open-source licensing 101 explains weak versus strong copyleft and what MPL 2.0 actually permits.