🔧 API · CLI · Server-to-Server Track

Every case where the user doesn't log in through a browser directly: CLI, daemons, CI/CD, AI agents, and webhook receivers.

Is this the right track?

• ✅ Yes: backend-to-backend communication only, or a CLI tool calling logi on the user's behalf
• ✅ Yes: an AI agent (Claude/Cursor/Codex) driving logi over MCP
• ❌ Mobile app → 📱 Mobile Track
• ❌ User browser login → 🌐 Web Track

Branching by pattern

1. Machine ↔ machine (CLI / daemon / CI)

An environment where user interaction is possible but you can't open a browser.

• OAuth 2.0 Device Flow (RFC 8628) — the standard for TV / CLI / IoT
  • Device Flow guide
• The logi CLI — run logi login to get a device code and approve it in a browser
  • Quick install: gem install logi-cli
  • CLI install · Login · Managing apps · Managing teams
  • Using it in CI/CD — non-interactive token injection pattern

2. AI agents / LLMs

Claude Code, Cursor, and Codex driving logi in natural language.

• MCP (@logi/mcp) — the Model Context Protocol server
• AI assistant integration — the llms.txt / llms-full.txt standard endpoints
• 📥 /llms-full.txt — the full docs as an LLM-friendly package (~500 KB)

3. Backend → logi API

Verifying user tokens, looking up user info, and changing permissions.

• API reference (OpenAPI) — interactive Scalar viewer
• Token Introspection & JWKS — verify id_token / fetch public keys
• Polling Events API — pull-based delivery of user events (account deletion / disconnection)
• POST /api/v1/me/anonymous_swap — swap/merge an anonymous account into a canonical (email/SSO) account. For the full flow, see Anonymous → Canonical Account Swap.
• GET/POST /developer/applications/:id/{redirect_uri_verifications,verify_redirect_uri} (session) · GET/POST /api/v1/admin/applications/:id/{redirect_uri_verifications,verify_redirect_uri} (admin) — verify domain ownership of an RP redirect_uri (DNS TXT + .well-known, two-pronged). Redirect URI Verification.

4. logi → backend (webhook)

logi pushes asynchronous events to the RP backend.

• Webhook integration
• HMAC signature verification
• Event Delivery (3-tier)
• Webhook signing-key rotation
• RP Health Check Protocol — an active probe separate from webhooks (logi → RP /health HMAC handshake). logi actively confirms the RP is alive.

5. Management API (Org / Team / App management)

Everything the logi console does, via the API.

• API reference — the complete set of management API endpoints

---

Common reference

• Core concepts
• Choosing Public vs Confidential
• Error codes · Rate Limits
• Security best practices · Threat Model
• demo.1pass.dev/oauth — a PKCE round-trip walking sample (CLI and server integrations follow the same PKCE shape)
• Demo page walkthrough — flows organized by scenario

---

Hand the whole thing to an AI

Paste @/llms-full.txt into an LLM and say:

"Connect the logi MCP server to Claude Code. Then make my CLI script obtain a token via device flow and call /api/v1/applications."