Authorization

Authorization in Logto defines what users and apps can do after authentication: which APIs, resources, or actions are allowed for each identity.

Logto provides flexible, token-based authorization for modern SaaS and AI apps. You can protect API resources globally, or within the context of each organization. All permissions are managed through a role-based access control (RBAC) system, with advanced support for multi-tenant apps via organization templates.

Core concepts

• Role-based access control (RBAC): Logto uses RBAC as the foundation for assigning permissions to users, clients, and services. Learn more about RBAC.
• API resource: Any backend service or endpoint you want to protect (global or organization-specific).
• Role: A group of permissions (e.g., admin, viewer, editor).
• Permission (scope): A specific allowed action (e.g., read:report, invite:member).
• Organization: Represents a tenant, workspace, or customer in your application. This is different from the Logto tenant, which refers to your overall Logto project or instance.
• Organization template: For multi-tenant apps, define a reusable set of roles and permissions applied across all organizations. See how organization templates work.
• Access token / organization token: Tokens containing claims for global or organization-scoped permissions.

Authorization scenarios

There are three main authorization patterns in Logto. Pick the scenario that matches your needs:

Scenario	When to use	Token type	Role config	Learn more
Global API resource permissions	Protect API resources shared across your entire Logto tenant (not organization-specific)	Access token	Assign global roles/permissions	Protect global API resources
Organization (non-API) permissions	Control organization-specific actions, UI features, or business logic (not APIs)	Organization token	Assign organization roles/permissions for app controls	Protect organization (non-API) permissions
Organization-level API resource permissions	Protect API resources accessible within a specific organization	Organization token	Assign organization roles/permissions for organization APIs	Protect organization-level API resources

Logto models API resources according to RFC 8707, using the resource parameter in OAuth 2.0 authorization flows. This makes it simple to secure multiple APIs or microservices, and ensures compatibility with other standards-based systems.

tip:

Need custom claims or advanced access control? See Custom token claims.

How Logto authorization works

• Token-based: Every access is granted via a secure, signed access token. Your backend validates the token and enforces permissions (scopes).

• Global vs. organization permission (scope):

  • Global permission (scope): Controls access to API resources across your entire Logto tenant.
  • Organization permission (scope): Controls both business logic (app features) and API resources within a organization context. Organization permissions can apply to non-API features (such as UI elements or workflows) and/or organization-scoped API endpoints.

• Roles and permissions (scopes): Roles are collections of permissions (scopes). Assign roles to users or clients globally or within an organization, depending on your scenario.

Next steps

Ready to go further? Start hands-on, explore real-world guides, or deepen your understanding:

Role-based access control

Master roles and permissions for fine-grained access control.

Organization template

Learn how to set up reusable roles and permissions for multi-tenant applications.

Protect global API resources

Secure APIs shared across your Logto tenant with global roles and permissions.

Protect organization (non-API) permissions

Control organization-specific actions and UI features with organization roles.

Protect organization-level API resources

Secure APIs accessible within a specific organization using organization roles.

How to validate access tokens

Learn how to verify Logto tokens in your backend to secure APIs.

Customizing token claims

Learn how to add custom claims for advanced access control scenarios.

Use cases

Looking for practical examples and real-world scenarios? Check out these guides:

RBAC in practice: Implementing secure authorization for your application

See a step-by-step, real-world example of secure authorization with RBAC.

Build a multi-tenant SaaS application: A complete guide from design to implementation

Follow a comprehensive guide to multi-tenant SaaS architecture and implementation.

Further reading

RBAC and ABAC: The access control models you should know

When should I use JWTs? API authorization methods