refactor: add-fragments-content

docs/authorization/api-resources/protect-your-api.mdx

@@ -156,3 +156,17 @@ There are various open-source libraries and packages that can help you to valida
 ## Reference \{#reference}
 
 Logto uses the code-based OAuth 2.0 Authorization Protocol to make your API request safe. If you are interested in the strategy behind it, refer to OAuth 2.0's [specification](https://datatracker.ietf.org/doc/html/rfc6749#section-1.3.1) for more details.
+
+## FAQs \{#faqs}
+
+<details>
+
+<summary>
+
+### How to test the client-side, Logto, and server-side interaction without building the client? \{#how-to-test-the-client-side-logto-and-server-side-interaction-without-building-the-client}
+
+</summary>
+
+You can automate this process without needing to build the client. One option is to use a Personal Access Token (PAT). A PAT allows you to simulate client-side authentication by representing a specific user, with different roles and permissions. This can be used to test your server-side logic, such as access token or JWT validation, without the need for a fully built client. To get started, refer to the [Personal access token](/user-management/personal-access-token).
+
+</details>

docs/authorization/role-based-access-control/configure-roles.mdx

@@ -81,6 +81,6 @@ Manage using the Logto Management API. Make a call to the relative end point. Ch
 | POST   | [/api/roles/\{Id\}/scopes](https://openapi.logto.io/operation/operation-createrolescope)                               | Link a list of API resource scopes (permissions) to a role. The original linked scopes will be kept. |
 | DELETE | [/api/roles/\{Id\}/scopes/\{scopeId\}](https://openapi.logto.io/operation/operation-deleterolescope)                   | Unlink an API resource scope (permission) from a role with the given ID.                             |
 
-# Default roles
+## Default roles \{#default-roles}
 
-Default roles are the automatically assigned roles when the users are created, either for the self-sign-up or created through Management API. You can enable this toggle by going to roles-role detail-general.
+Default roles are the automatically assigned roles when the users are created, either for the self-sign-up or created through Management API. You can enable this toggle by going to “General” tab on the detail page under <CloudLink to="/roles">Console > Roles</CloudLink>.

docs/developers/user-impersonation.mdx

@@ -140,6 +140,12 @@ grant_type=urn:ietf:params:oauth:grant-type:token-exchange
 
 The `access_token` returned will be bound to the specified resource, ensuring it can only be used with TechCorp's customer data API.
 
+**Note**: For traditional web applications, include `client credentials` in the header of the token request to prevent a 401 invalid_client error.
+
+```json
+Authorization: Basic ${Buffer.from(${id}:${secret}, 'utf8').toString('base64')}
+```
+
 ## Example usage \{#example-usage}
 
 Here's how Sarah might use this in a Node.js support application:

docs/end-user-flows/account-settings/by-account-api.mdx

@@ -25,6 +25,10 @@ Some frequently usage are listed below:
 
 To learn more about the APIs that are available, please visit [Logto Account API Reference](https://openapi.logto.io/group/endpoint-my-account) and [Logto Verification API Reference](https://openapi.logto.io/group/endpoint-verifications).
 
+:::note
+Dedicated Account APIs for the following settings are coming soon: MFA, SSO, Custom data (user), and Account deletion. In the meantime, you can implement these features using the Logto Management APIs. See [Account settings by Management API](/end-user-flows/account-settings/by-management-api) for more details.
+:::
+
 ## How to enable Account API \{#how-to-enable-account-api}
 
 By default, the Account API is disabled. To enable it, you need to use the [Management API](/integrate-logto/interact-with-management-api) to update the global settings.

docs/end-user-flows/account-settings/by-management-api.mdx

@@ -170,6 +170,17 @@ There a few limitations to consider when linking new social identities to a user
 
 Currently, the Management API does not support linking or unlinking enterprise identities to a user. You can only display the enterprise identities linked to a user.
 
+### Personal access token \{#personal-access-token}
+
+| method | path                                                                                                                                 | description                                   |
+| ------ | ------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------- |
+| GET    | [/api/users/\{userId\}/personal-access-tokens](https://openapi.logto.io/operation/operation-listuserpersonalaccesstokens)            | Get all personal access tokens for the user.  |
+| POST   | [/api/users/\{userId\}/personal-access-tokens](https://openapi.logto.io/operation/operation-createuserpersonalaccesstoken)           | Add a new personal access token for the user. |
+| DELETE | [/api/users/\{userId\}/personal-access-tokens/\{name\}](https://openapi.logto.io/operation/operation-deleteuserpersonalaccesstoken)  | Delete a token for the user by name.          |
+| PATCH  | [/api/users/\{userId\s}/personal-access-tokens/\{name\}](https://openapi.logto.io/operation/operation-updateuserpersonalaccesstoken) | Update a token for the user by name.          |
+
+Personal access tokens provide a secure way for users to grant [access token](https://auth.wiki/access-token) without using their credentials and interactive sign-in. Learn more about [using personal access tokens](/user-management/personal-access-token).
+
 ### User MFA settings management \{#user-mfa-settings-management}
 
 | method | path                                                                                                                                 | description                               |

docs/end-user-flows/enterprise-sso/sp-initiated-sso.mdx

@@ -72,3 +72,24 @@ Different enterprise clients use different identity providers to manage their em
 However, if you are developing a B2E product and want to show a button for a specific enterprise client, you can create a custom login page and use `directSignIn:sso` to route the button appropriately. Learn more about the [direct sign-in parameter](/end-user-flows/authentication-parameters/direct-sign-in/).
 
 </details>
+
+<details>
+
+<summary>
+
+### How to enable SSO-only sign-in and registration? \{#how-to-enable-sso-only-sign-in-and-registration}
+
+</summary>
+
+To enable SSO-Only Sign-in and registration, follow these steps:
+
+1. Configure in <CloudLink to="/sign-in-experience/sign-up-and-sign-in">Console > Sign-in experience > Sign-in and sign-in</CloudLink>
+   - Sign up: Not applicable
+   - Sign in: None
+   - Social sign-in: None
+   - Enterprise SSO: Enabled
+   - User registration: Disabled
+2. Manually add users by entering their enterprise email address in <CloudLink to="/users">Console > User management</CloudLink> or import via [Management API](https://openapi.logto.io/operation/operation-createuser).
+3. When users sign in via SSO for the first time, Logto will [auto-link](/end-user-flows/enterprise-sso/enterprise-sso-identity#enterprise-sso-account-linking) their existing email address to their SSO account.
+
+</details>

docs/end-user-flows/mfa/configure-mfa.mdx

@@ -24,6 +24,10 @@ Follow these steps to enable MFAs in users’ Logto sign-in flow:
 
 ![MFA settings](./assets/configure-mfa.png)
 
+:::note
+For products with a multi-tenant architecture that support [Organizations](/organizations), you probably don’t need to require MFA for all users. Instead, MFA can be enabled on a per-organization basis, allowing you to tailor the requirements based on each client’s needs. To get started, refer to [Requiring MFA for organization members](/organizations/organization-management#require-mfa-for-organization-members).
+:::
+
 ## MFA user flow \{#mfa-user-flow}
 
 ### MFA set-up flow \{#mfa-set-up-flow}

docs/integrate-logto/README.mdx

@@ -1,9 +1,14 @@
+---
+description: Easily integrate authentication into your applications, service as IdP to authorize OAuth apps, and utilize auth APIs, all with federated identity.
+sidebar_label: Integrate Logto
+---
+
 import CloudConnectionIcon from '@site/src/assets/cloud-connection.svg';
 import GuidesIcon from '@site/src/assets/guides.svg';
 import IntegrateIcon from '@site/src/assets/integrate.svg';
 import ProtectedAppIcon from '@site/src/assets/protected-app.svg';
 
-# Integrate Logto
+# Integrate Logto authentication
 
 Logto provides comprehensive authentication solutions for web, mobile and desktop applications, supports [Machine-to-Machine (M2M)](/quick-starts/m2m) authentication between services, and can serve as an Identity Provider (IdP) for [third-party applications](/integrate-logto/third-party-applications) through standard protocols like [OpenID Connect(OIDC)](https://auth.wiki/openid-connect) and [OAuth 2.0](https://auth.wiki/oauth-2.0).
 

docs/integrate-logto/application-data-structure.mdx

@@ -1,4 +1,5 @@
 ---
+description: Refer to key application parameters for OIDC authentication integration, including redirect URIs, endpoints, refresh tokens, backchannel logout, etc.
 sidebar_position: 5
 ---
 

docs/integrate-logto/integrate-logto-into-your-application/README.mdx

@@ -1,4 +1,5 @@
 ---
+description: Integrate application authentication and identity federation in minutes with our quickstart guides.
 sidebar_position: 1
 ---
 

docs/integrate-logto/integrate-logto-into-your-application/understand-authentication-flow.mdx

@@ -1,4 +1,9 @@
-# Understand authentication flow
+---
+description: Explain the core OIDC authentication flows for human users and machine-to-machine interactions, highlighting token exchange.
+sidebar_label: Understand authentication flow
+---
+
+# Understand OIDC authentication flow
 
 Logto is built on [OAuth 2.0](https://auth.wiki/oauth-2.0) and [OpenID Connect (OIDC)](https://auth.wiki/openid-connect) standards. Understanding these authentication standards will make the integration process smoother and more straightforward.
 

docs/integrate-logto/interact-with-management-api/README.md

@@ -1,4 +1,5 @@
 ---
+description: Utilize Management APIs to access Logto’s backend services, scaling your CIAM system with user management, account settings, identity verification, and multi-tenant architecture.
 sidebar_position: 4
 ---
 

docs/integrate-logto/protected-app.mdx

@@ -1,8 +1,10 @@
 ---
+description: Easily add no-code authentication to your web apps with Logto’s innovative Protected App, powered by Cloudflare. Supports HTTP Basic Authentication and JWT validation.
+sidebar_label: Protected App
 sidebar_position: 2
 ---
 
-# Protected App
+# Protected App — Non-SDK authentication integration
 
 The Protected App is designed to eliminate the complexity of [SDK integrations](/quick-starts) by separating the [authentication](https://auth.wiki/authentication) layer from your application. We handle the authentication, allowing you to focus on your core functionality. Once a user is authenticated, the Protected App serves the content from your server.
 

docs/integrate-logto/third-party-applications/README.mdx

@@ -1,4 +1,5 @@
 ---
+description: Use Logto to create your own Identity Provider and enable SSO for third-party applications. Effortlessly integrate OIDC, OAuth, or SAML application.
 sidebar_position: 3
 ---
 

docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/README.mdx

@@ -1,3 +1,7 @@
+---
+description: Integrate third-party OIDC / OAuth applications and provide OAuth authorization with a consent screen.
+---
+
 import AuthorizationIcon from '@site/src/assets/authorization.svg';
 import CustomizationIcon from '@site/src/assets/customization.svg';
 

docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/consent-screen-branding.mdx

@@ -1,10 +1,12 @@
 ---
+description: Customize app branding, terms, and privacy displayed on the OAuth consent screen to build user trust and improve authorization.
+sidebar_label: Consent screen branding
 sidebar_position: 2
 ---
 
 import ConsentScreenBranding from './assets/consent-screen-branding.webp';
 
-# Consent screen branding
+# Custom consent screen branding
 
 It is important to ensure the third-party's branding information and terms link is properly displayed to the users when they are redirected to the third-party application's consent screen.
 

docs/integrate-logto/third-party-applications/oidc-oauth-third-party-applications/permission-management.mdx

@@ -1,11 +1,13 @@
 ---
+description: Choose app authorization scopes (permissions) and ensure they are clearly shown on the OAuth consent screen.
+sidebar_label: Permission management
 sidebar_position: 1
 ---
 
 import GrantPermissionsOfOrganizationData from './assets/grant-permissions-of-organization-data.webp';
 import GrantPermissionsOfUserData from './assets/grant-permissions-of-user-data.webp';
 
-# Permission management
+# Permission management of the OIDC / OAuth application
 
 Third-party applications, not owned by your service, are integrated with Logto as identity providers to authenticate users. These apps, typically from external service providers, require careful permission management to protect user data.
 

docs/introduction/README.mdx

@@ -1,3 +1,7 @@
+---
+description: Quickly launch your identity and access management system by integrating Logto. Enjoy authentication, authorization, and multi-tenant management all in one.
+---
+
 import AuditLogIcon from '@site/src/assets/audit-log.svg';
 import AuthorizationIcon from '@site/src/assets/authorization.svg';
 import CloudIcon from '@site/src/assets/cloud.svg';

docs/introduction/plan-your-architecture/README.mdx

@@ -1,4 +1,5 @@
 ---
+description: Design your identity system architecture by evaluating single-tenant, multi-tenant, and multi-application options.
 sidebar_position: 3
 ---
 

docs/introduction/plan-your-architecture/b2b.mdx

@@ -1,4 +1,6 @@
 ---
+description: Discover how to create a scalable multi-tenant identity system for B2B software with all AuthN and AuthZ features.
+sidebar_label: B2B architecture
 sidebar_position: 2
 ---
 
@@ -9,7 +11,7 @@ import GenericFeatures from './_generic-features.mdx';
 import RelatedResource from './_related-resource.mdx';
 import ImageB2b from './assets/b2b.svg';
 
-# B2B architecture
+# Multi-tenant architecture for B2B services
 
 ## Architecture \{#architecture}
 

docs/introduction/plan-your-architecture/b2c.mdx

@@ -1,12 +1,14 @@
 ---
+description: Discover how to create a highly secure customer identity system with all essential AuthN and AuthO features.
+sidebar_label: B2C architecture
 sidebar_position: 1
 ---
 
 import GenericFeatures from './_generic-features.mdx';
 import RelatedResource from './_related-resource.mdx';
 import ImageB2c from './assets/b2c.svg';
 
-# B2C architecture
+# Single-tenant architecure for B2C services
 
 ## Architecture \{#architecture}
 

docs/introduction/set-up-logto-cloud.mdx

@@ -1,5 +1,5 @@
 ---
-description: This section covers basic setup steps and key actions to effectively deliver your product and manage your development workflow.
+description: Basic steps to initiate Logto Cloud Service as your OAuth 2, OIDC, and SAML provider.
 sidebar_position: 1
 ---
 

docs/introduction/set-up-logto-oss.mdx

@@ -1,5 +1,5 @@
 ---
-description: This section covers basic setup steps and key actions to effectively deliver your product and manage your development workflow for Logto open-source service (OSS).
+description: Basic steps to configure Logto open-source and implement your identity system.
 sidebar_position: 2
 ---
 

docs/logto-cloud/billing-and-pricing.mdx

@@ -120,3 +120,17 @@ If you choose to stop using the Pro plan, you can switch to the Free plan, but y
 ## Future pricing plan change \{#future-pricing-plan-change}
 
 To provide you with a stable and predictable billing experience, we will grandfather your current plan whenever pricing changes occur.
+
+## FAQs \{#faqs}
+
+<details>
+
+<summary>
+
+### What is the connection between token consumption and MAU? \{#what-is-the-connection-between-token-consumption-and-mau}
+
+</summary>
+
+Logto uses token-based authentication. A single-user sign-in one time might involve consuming two or three tokens: ID token, Access token, and Refresh token. If you use features like M2M or Organization, additional tokens, such as M2M tokens or Organization tokens, may also be involved. Token consumption depends on how users interact with your system. To help you track this, we offer real-time token usage monitoring in the <CloudLink to="/dashboard">Console > Dashboard</CloudLink>. Here is an example: our free plan offers 100k tokens for free, which can support up to 50k MAU (Monthly Active Users).
+
+</details>

docs/organizations/organization-data.mdx

@@ -27,3 +27,17 @@ See [organization-specific logos](/customization/match-your-brand/#organization-
 ## Custom data \{#custom-data}
 
 _Custom data_ is a JSON object used to store extra information about the organization. It gives developers flexibility to store additional organization details for development purposes.
+
+## Is MFA required \{#is-mfa-required}
+
+_isMfaRequired_ indicates whether Multi-Factor Authentication (MFA) is mandatory for the organization. If set to `true`, all members must bypass MFA during sign-in to access the organization. This security policy setting is configured at the organization level.
+
+See [Manage organization](/organizations/organization-management#require-mfa-for-organization-members) for more details.
+
+## Created at \{#created-at}
+
+_createdAt_ is the timestamp with the timezone when the organization was created.
+
+## Tenant ID \{#tenant-id}
+
+_tenantId_ identifies the tenant that the organization belongs to.

docs/quick-starts/fragments/_scope-claim-list.md

@@ -53,6 +53,12 @@ Please refer to the [OpenID Connect Core 1.0](https://openid.net/specs/openid-co
 | identities     | `object` | The linked identities of the user     | Yes             |
 | sso_identities | `array`  | The linked SSO identities of the user | Yes             |
 
+**`roles`**
+
+| Claim name | Type       | Description           | Needs userinfo? |
+| ---------- | ---------- | --------------------- | --------------- |
+| roles      | `string[]` | The roles of the user | No              |
+
 **`urn:logto:scope:organizations`**
 
 | Claim name        | Type       | Description                               | Needs userinfo? |

docs/user-management/manage-users.mdx

@@ -82,3 +82,17 @@ Logto supports [organizations](/organizations/organization-management) and can m
 The user-related [RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer) APIs are mounted at `/api/users` except for the user activities, i.e., user logs `/api/logs?userId=:userId`.
 
 You can manage users through the Management API in several use cases. Such as [advanced user search](/user-management/advanced-user-search), [bulk creation accounts](https://openapi.logto.io/operation/operation-createuser), [invitation-only sign-up](/end-user-flows/sign-up-and-sign-in/disable-user-registration), etc.
+
+## FAQs \{#faqs}
+
+<details>
+
+<summary>
+
+### How to restrict access to certain applications for specific users? \{#how-to-restrict-access-to-certain-application-for-specific-users}
+
+</summary>
+
+You can assign different roles and permissions to users. In each application, validate user roles and restrict access as needed. Refer to Authorization: [Role-based access control](/authorization/role-based-access-control).
+
+</details>