refactor: add brief intro in swagger.json (#6102)

Author: gao-sun

packages/core/src/routes/swagger/consts.ts

@@ -0,0 +1,59 @@
+export const managementApiDescription = `Logto Management API is a comprehensive set of REST APIs that gives you the full control over Logto to suit your product needs and tech stack. To see the full guide on Management API interactions, visit [Interact with Management API](https://docs.logto.io/docs/recipes/interact-with-management-api/).
+
+### Get started
+
+The API follows the same authentication principles as other API resources in Logto, with some slight differences. To use Logto Management API:
+
+1. A machine-to-machine (M2M) application needs to be created.
+2. A machine-to-machine (M2M) role with Management API permission \`all\` needs to be assigned to the application.
+
+Once you have them set up, you can use the \`client_credentials\` grant type to fetch an access token and use it to authenticate your requests to the Logto Management API.
+
+### Fetch an access token
+
+To fetch an access token, you need to make a \`POST\` request to the \`/oidc/token\` endpoint of your Logto tenant.
+
+For Logto Cloud users, the base URL is your Logto endpoint, i.e. \`https://[tenant-id].logto.app\`. The tenant ID can be found in the following places:
+
+- The first path segment of the URL when you are signed in to Logto Cloud. For example, if the URL is \`https://cloud.logto.io/foo/get-started\`, the tenant ID is \`foo\`.
+- In the "Settings" tab of Logto Cloud.
+
+The request should follow the OAuth 2.0 [client credentials](https://datatracker.ietf.org/doc/html/rfc6749#section-4.4) grant type. Here is a non-normative example of how to fetch an access token:
+
+\`\`\`bash
+curl --location \
+  --request POST 'https://[tenant-id].logto.app/oidc/token' \
+  --header 'Content-Type: application/x-www-form-urlencoded' \
+  --data-urlencode 'grant_type=client_credentials' \
+  --data-urlencode 'client_id=[app-id]' \
+  --data-urlencode 'client_secret=[app-secret]' \
+  --data-urlencode 'resource=https://[tenant-id].logto.app/api' \
+  --data-urlencode 'scope=all'
+\`\`\`
+
+Replace \`[tenant-id]\`, \`[app-id]\`, and \`[app-secret]\` with your Logto tenant ID, application ID, and application secret, respectively.
+
+The response will be like:
+
+\`\`\`json
+{
+  "access_token": "eyJhbG...2g", // Use this value for accessing the Logto Management API
+  "expires_in": 3600, // Token expiration in seconds
+  "token_type": "Bearer", // Token type for your request when using the access token
+  "scope": "all" // Scope \`all\` for Logto Management API
+}
+\`\`\`
+
+### Use the access token
+
+Once you have the access token, you can use it to authenticate your requests to the Logto Management API. The access token should be included in the \`Authorization\` header of your requests with the \`Bearer\` authentication scheme.
+
+Here is an example of how to list the first page of users in your Logto tenant:
+
+\`\`\`bash
+curl --location \
+  --request GET 'https://[tenant-id].logto.app/api/users' \
+  --header 'Authorization: Bearer eyJhbG...2g'
+\`\`\`
+
+Replace \`[tenant-id]\` with your Logto tenant ID and \`eyJhbG...2g\` with the access token you fetched earlier.`;

packages/core/src/routes/swagger/index.ts

@@ -2,7 +2,7 @@ import fs from 'node:fs/promises';
 import { fileURLToPath } from 'node:url';
 
 import { httpCodeToMessage } from '@logto/core-kit';
-import { condArray, condString, conditionalArray, deduplicate } from '@silverhand/essentials';
+import { cond, condArray, condString, conditionalArray, deduplicate } from '@silverhand/essentials';
 import deepmerge from 'deepmerge';
 import { findUp } from 'find-up';
 import type { IMiddleware } from 'koa-router';
@@ -21,6 +21,7 @@ import { translationSchemas, zodTypeToSwagger } from '#src/utils/zod.js';
 
 import type { AnonymousRouter } from '../types.js';
 
+import { managementApiDescription } from './consts.js';
 import {
   buildTag,
   devFeatureTag,
@@ -38,6 +39,14 @@ import {
   customParameters,
 } from './utils/parameters.js';
 
+const anonymousPaths = new Set<string>([
+  'interaction',
+  '.well-known',
+  'authn',
+  'swagger.json',
+  'status',
+]);
+
 type RouteObject = {
   path: string;
   method: OpenAPIV3.HttpMethods;
@@ -99,11 +108,14 @@ const buildOperation = (
     })
   );
 
+  const [firstSegment] = path.split('/').slice(1);
+
   return {
     tags: [buildTag(path)],
     parameters: [...pathParameters, ...queryParameters],
     requestBody,
     responses,
+    security: cond(firstSegment && anonymousPaths.has(firstSegment) && []),
   };
 };
 
@@ -232,15 +244,24 @@ export default function swaggerRoutes<T extends AnonymousRouter, R extends Route
       info: {
         title: 'Logto API references',
         description:
-          'API references for Logto services. To learn more about how to interact with Logto APIs, see [Interact with Management API](https://docs.logto.io/docs/recipes/interact-with-management-api/).' +
+          'API references for Logto services.' +
           condString(
             EnvSet.values.isCloud &&
               '\n\nNote: The documentation is for Logto Cloud. If you are using Logto OSS, please refer to the response of `/api/swagger.json` endpoint on your Logto instance.'
           ),
         version: 'Cloud',
       },
       paths: Object.fromEntries(pathMap),
+      security: [{ ManagementApi: [] }],
       components: {
+        securitySchemes: {
+          ManagementApi: {
+            type: 'http',
+            scheme: 'bearer',
+            bearerFormat: 'JWT',
+            description: managementApiDescription,
+          },
+        },
         schemas: translationSchemas,
         parameters: identifiableEntityNames.reduce(
           (previous, entityName) => ({