$HEADLESS SYSTEMS
03 / Scorecard / Auth & Identity

Logto

C
Headless Index
50/100
JAIRF
84/100
AI-Ready
Verified
MAY 21, 2026
Methodology v1 · JAIRF v1.0.0

Powered by JAIRF v1.0.0 by Jentic · open methodology at /the-headless-index/methodology

Editorial verdict
Logto is partially headless and partly UI-led. The Headless Index thesis-fit score of 50/100 puts it mid-table on the index, and JAIRF v1.0.0 puts it at 84/100 (Level 3, AI-Ready). In practice, vendors at this tier are partly machine-consumable: the core flows are reachable through code but several adjacent surfaces still expect a human at a dashboard, and the rest of this verdict explains where Logto lands inside that pattern. On the API surface, the question is whether the API is the product or a layer beneath the dashboard. Logto is an open-source identity product with a Management API, an Experience API for end-user flows, and SDKs across Node, React, Vue, Angular, Next.js, Expo, Go, Python, PHP, and Java. The product is API-first and the documentation explicitly orients itself around developer-facing integration patterns.[1] Schema observability is the related test: can an agent introspect the contract from cold, or does it have to read prose documentation to do so? OpenAPI specification is published in the logto-io/logto repository and powers the SDK code generation. Agents can fetch and consume the spec directly. This is reference-class schema discoverability for an open-source identity product.[2] An agent can drive parts of this product, but not all of it: integrators should plan for human-in-the-loop checkpoints where the headless surface stops short. On headless operability: Tenant configuration, user CRUD, role and permission authoring, connector setup, custom domains, hooks, and webhook subscriptions are all programmable. The logto-cli supports local development. Self-host is supported alongside the managed Cloud offering.[3] On the MCP and agent-integration axis, which is the fastest-moving criterion in the index: No first-party Logto MCP server has been published. The product is young enough that the protocol-layer story is still emerging, but the open-source codebase under logto-io makes downstream MCP integration straightforward.[4] Event posture closes the loop: an agent that cannot react to state changes is reduced to polling. Webhook subscriptions cover user, organisation, and authentication events with HMAC signing. The catalog is appropriately scoped for the modern identity use case. Net assessment: integrators can build agent flows against Logto, but the rough edge to plan around is webhooks and events[5]. Expect to wrap missing pieces in bespoke glue or accept human-in-the-loop checkpoints. Workable but requires scaffolding.
Verdict by Headless Index pipeline (auto)
// AI-drafted from the evidence layer. Editorial review pending.
Scores

Scorecard detail

Headless Index · 5 sub-criteria
API-first design intent16/20
scored

Logto is an open-source identity product with a Management API, an Experience API for end-user flows, and SDKs across Node, React, Vue, Angular, Next.js, Expo, Go, Python, PHP, and Java. The product is API-first and the documentation explicitly orients itself around developer-facing integration patterns.

signals (6)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • +OpenAPI specPublished, 0 operations
  • ·GraphQL endpointDiscovered at https://logto.io/api/graphql, introspection disabled or scoped
  • +SDKs maintained5 (php, python, ruby, swift, typescript); top by stars: logto-io/python (13 stars)
  • +SDK recency3 of 5 SDK repos pushed within 30 days (most recent SDK commit: 2026-05-18)
  • +npm weekly downloads47.8k across published packages; top: @logto/client @ 47.8k/week
cite (1)
  • ai_review_browser.auth@2026-05-20
Headless operation8/20
scored

Tenant configuration, user CRUD, role and permission authoring, connector setup, custom domains, hooks, and webhook subscriptions are all programmable. The logto-cli supports local development. Self-host is supported alongside the managed Cloud offering.

signals (9)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • API operations exposedOpenAPI present but operations could not be counted
  • ·Docs pages crawled0 pages (crawler: none)
  • ·Auth schemes documentedAuth documentation page not reached by crawler
  • ·Setup / quickstart docsNot reached by crawler
  • ·Billing docsNot reached by crawler
  • ·Teams / org docsNot reached by crawler
  • ·CLI docsNot reached by crawler
  • ·Schema / data model docsNot reached by crawler
cite (1)
  • ai_review_browser.topics_found@2026-05-20
MCP & agent posture8/20
scored

No first-party Logto MCP server has been published. The product is young enough that the protocol-layer story is still emerging, but the open-source codebase under logto-io makes downstream MCP integration straightforward.

signals (4)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • Official MCP serverNone found in vendor's GitHub org or the official MCP registry
  • Community MCP serversNone found
  • +Agent-friendly SDKs1 TS/JS SDKs available; top: @logto/client (47.8k/week downloads)
cite (1)
  • ai_review_browser.mcp@2026-05-20
Schema observability14/20
scored

OpenAPI specification is published in the logto-io/logto repository and powers the SDK code generation. Agents can fetch and consume the spec directly. This is reference-class schema discoverability for an open-source identity product.

signals (3)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • +OpenAPIPublished at https://default.logto.app/api/swagger.json (OpenAPI undefined, 0 operations)
  • ·GraphQL introspectionGraphQL endpoint at https://logto.io/api/graphql but introspection is disabled, scoped, or behind authentication
cite (1)
  • ai_review_browser.schema@2026-05-20
Webhooks & events4/20
scored

Webhook subscriptions cover user, organisation, and authentication events with HMAC signing. The catalog is appropriately scoped for the modern identity use case.

signals (2)
  • +AI review appliedReviewer: Editorial review on 2026-05-20
  • ·Webhook docs pageNot reached by crawler within budget (0 pages crawled). Cannot confirm whether vendor offers webhooks.
cite (1)
  • ai_review_browser.pages_fetched@2026-05-20
JAIRF · 6 dimensions
FCFoundational Compliance
70/100

Structural validity, standards conformance, and parsability of the OpenAPI specification.

DXJDeveloper Experience & Tooling Compatibility
81.1/100

Documentation clarity, example coverage, response completeness, and ingestion health.

ARAXAI-Readiness & Agent Experience
89.3/100

Semantic clarity, intent expression, datatype specificity, and error standardization.

AUAgent Usability
89.9/100

Operational composability, complexity comfort, navigation affordances, and safety patterns.

SECSecurity
80/100

Authentication strength, transport security, secret hygiene, and OWASP risk posture.

AIDAI Discoverability
99.7/100

Descriptive richness, intent phrasing, workflow context, and registry signals.

Band rationale:C band: scores 40-75 range

04 / Embed

Show Logto's score on your site.

Drop a live badge into your README, footer, or marketing page. It updates automatically when we re-score, and every embed is a dofollow link back here.

Logto mini badge preview
Get embed code
Peers in Auth & Identity
HankoC
Headless Index 50/100
FusionAuthC
Headless Index 51/100
Firebase AuthenticationC
Headless Index 49/100
See full Auth & Identity ranking →