--- title: Configuring Logto Authentication Service in LobeChat description: >- Learn how to configure Logto authentication service in LobeChat, including deployment, creation, setting permissions, and environment variables. tags: - Logto Authentication - Environment Variable Configuration - Single Sign-On - LobeChat --- # Configuring Logto Authentication Service [Logto](https://github.com/logto-io/logto) is an open-source authentication service with a simple and beautiful interface, rich in features and easy to use. You can choose to use the official Logto Cloud or opt for a private deployment of Logto. If you want to deploy Logto privately, we recommend using Docker Compose to deploy it together with the LobeChat database version. In this case, LobeChat can share the same Postgres instance with it. ## Logto Configuration Process The following assumes your LobeChat database version domain is `https://lobe.example.com`. If you are using a privately deployed Logto, assume its endpoint domain is `https://lobe-auth-api.example.com`. If you are using Logto Cloud, assume its endpoint domain is `https://example.logto.app`. ### Create Logto Application Access your privately deployed Logto WebUI or [Logto Cloud](http://cloud.logto.io/) to enter the console, and create a `Next.js (App Router)` application under `Applications` with any name. ### Configure Logto Set the `Redirect URI` to `https://lobe.example.com/api/auth/callback/logto` and the `Post sign-out redirect URI` to `https://lobe.example.com/`. Set `CORS allowed origins` to `https://lobe.example.com`. Configure Logto After successful creation, save the `Client ID` and `Client Secret`. ### Configure Environment Variables Configure Environment Variables Set the obtained `Client ID` and `Client Secret` as `LOGTO_CLIENT_ID` and `LOGTO_CLIENT_SECRET` in the LobeChat environment variables. Configure `LOGTO_ISSUER` in the LobeChat environment variables as follows: - `https://lobe-auth-api.example.com/oidc` if you are using a privately deployed Logto - `https://example.logto.app/oidc` if you are using Logto Cloud When deploying LobeChat, you need to configure the following environment variables: | Environment Variable | Type | Description | | ------------------------- | -------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `NEXT_AUTH_SECRET` | Required | The key used to encrypt Auth.js session tokens. You can generate a key using the command: `openssl rand -base64 32` | | `NEXT_AUTH_SSO_PROVIDERS` | Required | Select the single sign-on provider for LobeChat. For Logto, enter `logto`. | | `AUTH_LOGTO_ID` | Required | The Client ID from the Logto App details page | | `AUTH_LOGTO_SECRET` | Required | The Client Secret from the Logto App details page | | `AUTH_LOGTO_ISSUER` | Required | OpenID Connect issuer of the Logto provider | | `NEXTAUTH_URL` | Required | This URL specifies the callback address for Auth.js during OAuth verification, needed only if the default generated redirect address is incorrect. `https://lobe.example.com/api/auth` | Visit [📘 Environment Variables](/docs/self-hosting/environment-variables/auth#logto) for details on related variables. After successful deployment, users will be able to authenticate via Logto and use LobeChat.