Skip to main content

Manage users

Manage via Logto Console

Browse and search users

To access the user management functionality in the Logto Console, navigate to Console > User management. Once there, you will see a table view of all the users.

The table consists of three columns:

  • User: It displays information about the user, such as their avatar, full name, username, phone number, and email
  • From application: It displays the name of the application that the user initially registered with
  • Latest sign-in: It displays the timestamp of the user's most recent sign-in.

It supports keyword mapping for name, id, username, primary-phone, primary-email.

Add users

Using the Console, developers can create new accounts for end-users. To do so, click on the "Add user" button in the screen's upper right corner.

When creating a user in the Logto Console or via the Management API (not end user self-registered via the UI), you must provide at least one identifier: primary email, primary phone, or username. The name field is optional.

After the user is created, Logto will automatically generate a random password. The initial password will only appear one time, but you can reset the password later. If you want to set a specific password, use the Management API patch /api/users/{userId}/password to update it after the user has been created.

You can copy the entered identifiers (email address / phone number / username) and initial password with one click, making it easy to share these credentials with the new user so they can sign in and get started.

tip:

If you want to implement invitation-only registration, we recommend inviting users with a magic link. This allows only whitelisted users to self-register and set their own password.

View and update the user profile

To view the details of a user, simply click on the corresponding row in the user table. This will take you to the "User Details" page where you can find the user's profile information, including:

  • Authentication-related data:
  • Connection:
    • Social connections (identities):
      • View the user's linked social accounts, including social IDs and profile details synced from their social providers (e.g., a "Facebook" entry will appear if the user signed in via Facebook).
      • You can remove existing social identities, but you cannot link new social accounts on behalf of the user.
      • For social connectors with token storage enabled, you can view and manage access tokens and refresh tokens in the connection detail page.
    • Enterprise SSO connections (sso_identities):
      • View the user's linked enterprise identities, including enterprise IDs and profile details synced from their enterprise identity providers.
      • You cannot add or remove enterprise SSO identities in the Console.
      • For OIDC-based enterprise connectors with token storage enabled, you can view and delete tokens in the connection detail page.
  • User profile data: name, avatar URL, custom data, and additional OpenID Connect standard claims that are not included. All these profile fields are editable.
warning:

It is important to confirm that the user has an alternative sign-in method before removing a social connection, such as another social connection, phone number, email, or username-with-password. If the user does not have any other sign-in method, they will not be able to access their account again once the social connection is removed.

View user activities

To view the recent activities of a user, navigate to the "User logs" sub-tab on the "User details" page. Here, you can find a table that displays the user's recent activities, including the action performed, the result of the action, the related application, and the time that the user acted.

Click the table row to see more details in the user log, e.g., IP address, user agent, raw data, etc.

Suspend user

On the "User details" page, click "Three dots" -> "Suspend user" button.

Once a user is suspended, the user will be unable to sign in to your app and won't be able to obtain a new access token after the current one expires. Additionally, any API requests made by this user will fail.

If you want to reactive this user, you can do so by clicking "Three dots" -> "Reactivate user" button.

Delete user

On the "User details" page, click "Three dots" -> "Delete" button. Delete user can not be undo.

Reset user password

On the "User details" page, click "Three dots" -> "Reset password" button, and then Logto will automatically regenerate a random password.

After you reset the password, copy and send it to the end-user. Once the "Reset password" modal is closed, you can no longer view the password. If you forget to keep it, you can reset it again.

You cannot set a specific password for users in the Logto Console, but you can use the Management API PATCH /api/users/{userId}/password to specify a password.

Manage roles of users

In the "Roles" tab of the user details page, you can easily assign or remove roles to meet your desired outcome. Check Role-based access control for details.

View the organizations the user belongs to

Logto supports organizations and can manage their members. You can easily view user details and see which organization they belong to.

Manage via Logto Management API

Management API is a collection of APIs that provide access to the Logto backend service. As previously mentioned, the user API is a critical component of this service and can support a wide range of scenarios.

The user-related RESTful APIs are mounted at /api/users except for the user activities, i.e., user logs /api/logs?userId=:userId.

You can manage users through the Management API in several use cases. Such as advanced user search, bulk creation accounts, invitation-only sign-up, etc.

FAQs

How to restrict access to certain applications for specific users?

Due to Logto's Omni-sign-in nature, it's not designed to restrict user access to certain applications before authentication. However, you can still design application specific user roles and permissions to protect your API resources, and validate permissions on API access upon successful user sign-in. Refer to Authorization: Role-based access control for more information.