Logto
Logto is an open-source identity platform that provides OpenID Connect authentication with built-in RBAC support through API resources and roles.
Get issuer URL
You can find the issuer URL on your application details page within Logto Console, under the "Endpoints & Credentials / Issuer endpoint" section. It should look like:
https://my-project.logto.app/oidc
Create API resource and scopes
- Sign in to Logto Console (or your self-hosted Logto Console)
- Go to "API Resources"
- Create a new API resource:
- Name: e.g., "Todo Manager"
- Resource indicator: Your MCP server URL, e.g.,
http://localhost:3001/- The resource indicator must match your MCP server's URL.
- Add the scopes your MCP server needs, e.g.:
create:todos: "Create new todo items"read:todos: "Read all todo items"delete:todos: "Delete any todo item"
Always include a trailing slash (/) in the resource indicator. Due to a current bug in the MCP official SDK, clients using the SDK will automatically append a trailing slash to resource identifiers when initiating auth requests.
Create roles
Roles make it easier to manage permissions for groups of users:
- Go to "Roles"
- Create roles with appropriate scopes, e.g.:
- Admin: Assign all scopes
- User: Assign limited scopes
- (Optional) Set a default role for new users in the role's "General" tab.
Assign permissions to users
- Go to "User management"
- Select a user
- In the "Roles" tab, assign the appropriate roles
You can use Logto's Management API to programmatically manage user roles.
Retrieving user identity
Logto is an OpenID Connect provider that supports the standard userinfo endpoint to retrieve user identity information.
To fetch an access token that can be used to access the userinfo endpoint, at least two scopes are required: openid and profile.
Register MCP client
Since Logto does not support Dynamic Client Registration yet, you need to manually register your MCP client in Logto Console.
Third-party vs. first-party applications
Before creating the application, you need to understand the difference:
- Third-party application: Use this when the MCP client is developed by someone else (e.g., VS Code, Cursor, or other community tools). These clients need to access your users' data, but are not under your control. Users will see a consent screen asking them to authorize the MCP client to access their information.
- First-party application: Use this when you are building your own MCP client (e.g., an AI assistant embedded in your own product). In this case, both the MCP client and MCP server are managed by you, and the users are your own users. No consent screen is needed.
Application type
Choose the application type based on how the MCP client runs:
| MCP Client | Application Type |
|---|---|
| VS Code, Cursor (desktop apps) | Native App |
| MCP Inspector (browser-based) | Single Page App (SPA) |
Register a third-party app
Take VS Code as an example:
- Navigate to Applications > Third-party apps and click "Create application".
- Select Native App as the application type (since VS Code is a desktop application).
- Fill in the application name (e.g., "VS Code") and description.
- Set the Redirect URIs (check the MCP client's documentation for the required URIs):
http://127.0.0.1 https://vscode.dev/redirect - Click "Save changes".
- Go to the app's Permissions tab, under User section, add the required permissions from your API resource (e.g.,
create:todos,read:todos,delete:todos). - Copy the "App ID" value for use in VS Code.
Register a first-party app
If you are building your own MCP client:
- Navigate to Applications and click "Create application".
- Select the appropriate application type based on your client (Native App, SPA, etc.).
- Complete the setup following the in-app guide.
- Copy the "App ID" (and "App Secret" if applicable) for use in your MCP client.