Logto helps you build the sign-in experience and user identity within minutes.
The monorepo for SDKs written in Kotlin.
Check out the Android SDK tutorial for more information.
Logto Android SDK is now available on MavenCentral.
implementation 'io.logto.sdk:android:<version>'implementation("io.logto.sdk:android:<version>")The sign-in experience opens in a Custom Tab
(the system browser), so WebAuthn/passkeys and the browser session work out of the box.
The OAuth redirect is routed back to your app through an intent filter, and you must declare
its scheme with the logtoRedirectScheme manifest placeholder in your app's build.gradle(.kts).
The placeholder is the custom scheme of the redirect URI passed to signIn / signOut
(lowercase, reverse-DNS style). The redirect URI follows the pattern
$(scheme)://$(applicationId)/callback, e.g. io.logto.android://io.logto.sample/callback โ
the host is bound to your applicationId by the SDK, the path is fixed to /callback,
and both are enforced by Android's intent filter matching.
android {
defaultConfig {
manifestPlaceholders.logtoRedirectScheme = 'io.logto.android'
}
}android {
defaultConfig {
manifestPlaceholders["logtoRedirectScheme"] = "io.logto.android"
}
}Prefer an https redirect URI bound to a domain you own? See
Use App Links below.
Custom schemes have no ownership: any app can declare the same scheme and race for the
redirect. Android App Links bind an
https redirect URI to a domain you own through a verified
Digital Asset Links
file, so the OS guarantees only your app receives the redirect. This is the redirect
option recommended for native apps by
RFC 8252.
The SDK is scheme-agnostic at runtime, and the fully qualified name of the redirect
receiver activity, io.logto.sdk.android.auth.logto.LogtoRedirectReceiverActivity, is
part of the public API โ declare additional intent filters on it in your app's manifest
and they are merged into the SDK's declaration.
-
Host the Digital Asset Links file at
https://your.domain/.well-known/assetlinks.json, declaring your application id and the SHA-256 fingerprints of your signing certificates. When publishing with Play App Signing, the release fingerprint comes from Play Console โ Setup โ App signing. The file must be served asContent-Type: application/jsonwith HTTP 200 and no redirects. -
Declare the App Links intent filter on the SDK's receiver activity in your app's
AndroidManifest.xml. If you do not use the custom scheme at all, drop the SDK's built-in filter withtools:node="removeAll"โ thelogtoRedirectSchemeplaceholder is then no longer required:<manifest xmlns:android="http://schemas.android.com/apk/res/android" xmlns:tools="http://schemas.android.com/tools"> <application> <activity android:name="io.logto.sdk.android.auth.logto.LogtoRedirectReceiverActivity"> <!-- Omit this line to keep the custom-scheme redirect working alongside. --> <intent-filter tools:node="removeAll" /> <intent-filter android:autoVerify="true"> <action android:name="android.intent.action.VIEW" /> <category android:name="android.intent.category.DEFAULT" /> <category android:name="android.intent.category.BROWSABLE" /> <data android:scheme="https" android:host="your.domain" android:path="/callback" /> </intent-filter> </activity> </application> </manifest>
-
Register
https://your.domain/callbackas a redirect URI (and, if used for sign-out, a post sign-out redirect URI) in the Logto console, and pass it tosignIn/signOut.
Keep in mind that the callback is now a real URL on your domain: serve a fallback page
there (e.g. a "Return to app" button) for browsers that do not launch App Links on a
server redirect. On Android 12+ an unverified domain never opens the app, so a broken
assetlinks.json fails silently โ check the verification state with
adb shell pm get-app-links <applicationId>.
Upgrading from v2? See MIGRATION.md for the breaking changes (WebView removal, WeChat/Alipay native sign-in removal, and more).
| Name | Description |
|---|---|
| Kotlin SDK | Kotlin SDK is used to integrate your JVM client with Logto service |
| Android SDK | Android SDK |
After cloning the repository, install the git hooks once so detekt runs --auto-correct on staged Kotlin files before each commit:
./gradlew installGitHooksSee RELEASE.md for the automated release flow, required secrets, and manual fallback.
