@nwire/auth-logto

@nwire/auth-logto

IdP adapter for Logto — hosted OIDC provider with JWKS verification.

What it does

Verifies Logto-issued JWTs against JWKS (issuer + audience checks), maps claims to the User type (id, email, name, roles, scopes), and handles refresh + sign-out via Logto's OIDC endpoints. signIn intentionally throws — Logto owns the password/social/MFA flows via its hosted UI; apps redirect users there.

Install

pnpm add @nwire/auth-logto @nwire/auth jose

Quick start

import { logtoAdapter } from "@nwire/auth-logto";
import { identityPlugin } from "@nwire/auth";
import { defineApp } from "@nwire/forge";

defineApp("my-app", {
  plugins: [
    identityPlugin({
      adapter: logtoAdapter({
        endpoint: process.env.LOGTO_ENDPOINT!, // https://my-org.logto.app
        audience: process.env.LOGTO_AUDIENCE!, // https://api.my-app.com
        clientId: process.env.LOGTO_CLIENT_ID,
        clientSecret: process.env.LOGTO_SECRET,
        fetchUserInfo: true,
      }),
    }),
  ],
});

API surface

• logtoAdapter({ endpoint, audience, clientId?, clientSecret?, fetchUserInfo? }) — produces an IdpAdapter.

When to use

When you want a managed IdP and don't want to own user storage / MFA / passkeys.

Within nwire-app

For developers using this package as part of the Nwire stack — register it via app.use(...) or it auto-wires when you compose createApp({ modules }).

import { createApp } from "@nwire/forge";

const app = createApp({
  /* ...config... */
});
// Adapter/plugin wiring happens here when applicable.