Skip to main content

Enable third-party AI agent access to your app

This guide walks you through integrating Logto with your service and enabling AI agents to access it.

You'll learn how to:

  • Configure Logto as the authorization server for your service.
  • Obtain an access token for the AI agent to access your service.
  • Test the flow with an AI agent.

Difference between third-party AI agent and your own AI agent (or app)

Let's take a look at an example. Imagine you’re a developer running a service that provides weather data.

Official weather app (Your own AI agent / app)

  • You provide an official weather app for users to check the weather.
  • How it works: The official weather app connects to your service using Logto to authenticate users. When Alice signs in, she automatically gets access to the weather data, no extra permission screens needed, since it’s your trusted app.

Third-party AI agent

  • You’re building an ecosystem around your service, so another developer creates "WeatherBot" (an AI assistant that can provide weather updates and forecasts) integrating it as a third-party AI agent.
  • How it works: WeatherBot (third-party AI agent) wants to access user weather data via your service. When Alice signs in to WeatherBot using her account:
    • She’s shown a consent screen, asking permission for WeatherBot to access her weather data.
    • Alice can allow or deny this access.
    • Only the data she consents to is shared with WeatherBot, and WeatherBot cannot access any additional data without explicit re-consent.

This access (permission) control ensures user data safety, even though your service manages all the data, third-party AI agents like WeatherBot can only access what the user has explicitly allowed. They cannot bypass this process, as it's enforced by your access control implementation in the service.

Summary

Client typeExampleConsent required?Who controls it?
Official weather appYour own weather appNoYou (the developer)
Third-party AI agentWeatherBot assistantYesAnother developer
note:

If you want to integrate your service with your own AI agent or app, please refer to our quick start guides for more information.

Prerequisites

  • A Logto Cloud (or self-hosted) tenant
  • A service that exposes API endpoints to be accessed by the AI agent

Understanding the flow

  • Service: The service you want to expose to the AI agent.
  • AI agent: The AI agent that will access your service.
  • Logto: Serves as the OpenID Connect provider (authorization server) and manages user identities.

A non-normative sequence diagram illustrates the overall flow of the process:

Set up third-party AI agent

To set up a third-party AI agent to access your service, you need to follow these steps:

  1. Register the AI agent in Logto: Create an application in Logto to represent the AI agent.
  2. Configure the AI agent: Ensure the AI agent can make requests to your service and handle the 401 Unauthorized response.
  3. Implement the authorization flow: The AI agent should be able to handle the OAuth 2.0 authorization flow to obtain an access token from Logto.
  4. Test the integration: Use the AI agent to access your service and verify that it can successfully authenticate and authorize requests.

Configure third-party AI agent in Logto

To enable the third-party AI agent to access your your service, you need to set up a third-party app in Logto. This app will be used to represent the AI agent and obtain the necessary credentials for authentication and authorization.

Allow developers to create third-party apps in Logto

If you are building a marketplace or want to allow developers to create third-party apps in Logto, you can leverage Logto Management API to create third-party apps programmatically. This allows developers to register their applications and obtain the necessary credentials for authentication.

You'll need to host your own service to handle the client registration process. This service will interact with the Logto Management API to create third-party apps on behalf of developers.

Alternatively, you can manually create third-party apps in Logto Console to get familiar with the process.

Manually create a third-party app in Logto

You can manually create a third-party app in Logto Console for testing purposes or ad-hoc integrations. This is useful when you want to quickly test the integration without implementing a full client-registration flow.

  1. Sign in to your Logto Console.

  2. Go ApplicationsCreate applicationThird-party app -> OIDC.

  3. Fill in the app name and other required fields, then click Create application.

  4. Click Permissions tab, in the User section, click "Add".

  5. In the opened dialog -> User data -> select profile, email permissions, then click Save.

  6. In the third-party app, configure scopes to request openid profile email permissions (scopes).

    Note: openid is required for OIDC, and profile and email are the permissions you added in the previous step.

  7. Configure the redirect URI of your third-party application accordingly. Remember to update the redirect URI in Logto as well.

Third-party app permissions

Under the hood, a third-party app is just a standard OAuth 2.0 / OIDC client. This means you (or the third-party developer) can use any OAuth 2.0 / OIDC library or framework to integrate with Logto.

If you're not familiar with OAuth 2.0 or OIDC, you can start by following one of our “Traditional web” quick start guides.

A few things to keep in mind:

  1. Logto currently requires third-party apps to be “Traditional web” apps. In other words, the app needs a backend server (or backend-for-frontend) to securely store the client secret.
  2. Most our quick start guides are written for first-party apps, but you can still use them as a reference for third-party app integration.
  3. The main difference is that third-party apps will show a consent screen, asking users for explicit permission to access their data.

You can find more information in our quick start guides.

Set up authorization in your service

To enable access control in your service, you need to implement the following:

  1. Define API resources in Logto: Create API resources in Logto that represent the endpoints your AI agent will access.
  2. Implement access control logic: In your service, implement logic to validate the access token received from the AI agent and check if the user has the necessary permissions to access the requested resource.
  3. Respond to the AI agent: If the access token is valid and the user has permission, return the requested resource. If not, return a 401 Unauthorized response.

To learn more about how to implement access control in your service, refer to our Authorization guide.

Test the integration

  1. Start your service.
  2. Start the AI agent.
  3. In the AI agent, invoke the API endpoint to access your service.
  4. The AI agent should handle the 401 Unauthorized response and redirect the user to Logto for authentication.
  5. After successful authentication, the AI agent should receive an access token and use it to make requests to your service.
  6. The AI agent should be able to retrieve the resource from your service using the access token.