docs: add tenant creation automation guide (#1403)

* docs: add tenant creation automation guide

* docs: clarify tenant automation PAT wording

* fix: address PR review comments

Author: wangsijie

docs/logto-cloud/README.mdx

@@ -3,6 +3,7 @@ import Developer from '@site/src/assets/developer.svg';
 import TenantMemberManagement from '@site/src/assets/gear.svg';
 import PricingAndBilling from '@site/src/assets/key.svg';
 import McpIcon from '@site/src/assets/mcp.svg';
+import TenantAutomation from '@site/src/assets/robot.svg';
 import CustomDomains from '@site/src/assets/search.svg';
 import SystemLimit from '@site/src/assets/security.svg';
 
@@ -74,6 +75,16 @@ If you have any questions about cloud services and need additional support, plea
         icon: <SystemLimit />,
       },
     },
+    {
+      type: 'link',
+      label: 'Automate tenant management',
+      href: '/logto-cloud/automate-tenant-creation',
+      description:
+        'Create and manage tenants programmatically with Logto Cloud API and Management API.',
+      customProps: {
+        icon: <TenantAutomation />,
+      },
+    },
     {
       type: 'link',
       label: 'Logto MCP Server',

docs/logto-cloud/automate-tenant-creation.mdx

@@ -0,0 +1,242 @@
+---
+id: automate-tenant-creation
+title: Automate tenant management
+sidebar_position: 8
+---
+
+# Automate tenant management
+
+You can manage Logto Cloud tenants programmatically, including creating tenants and continuing configuration without switching to Console.
+
+This is useful when you need to provision tenants from your own onboarding flow, internal platform, AI agent, or integration automation.
+
+The automation flow is:
+
+1. Use a **Logto Cloud Personal Access Token (PAT)** to call the Logto Cloud API.
+2. Create a tenant with `POST /api/tenants`.
+3. Read the default Machine-to-machine (M2M) application credentials from the creation response.
+4. Use the default M2M application to get a Management API access token for the new tenant.
+5. Call the new tenant's Management API to continue provisioning applications, users, roles, resources, organizations, and other settings.
+
+## Before you start \{#before-you-start}
+
+Prepare the following values:
+
+| Variable             | Description                                                                  |
+| -------------------- | ---------------------------------------------------------------------------- |
+| `CLOUD_API_ENDPOINT` | The Logto Cloud API endpoint. For Logto Cloud, use `https://cloud.logto.io`. |
+| `LOGTO_CLOUD_PAT`    | A PAT for your Logto Cloud account.                                          |
+| `TENANT_NAME`        | The display name of the tenant to create.                                    |
+| `TENANT_TAG`         | The tenant type. Use `development` or `production`.                          |
+| `REGION_NAME`        | The region identifier for the tenant.                                        |
+
+Set them as environment variables:
+
+```bash
+export CLOUD_API_ENDPOINT="https://cloud.logto.io"
+export LOGTO_CLOUD_PAT="<logto-cloud-pat>"
+export TENANT_NAME="My automated tenant"
+export TENANT_TAG="development"
+export REGION_NAME="<region-name>"
+```
+
+## Get available regions \{#get-available-regions}
+
+Before creating a tenant, fetch the regions available to your Logto Cloud account:
+
+```bash
+curl "$CLOUD_API_ENDPOINT/api/me/regions" \
+  -H "Authorization: Bearer $LOGTO_CLOUD_PAT"
+```
+
+The response contains the available regions. Use the `name` value as `REGION_NAME` when creating the tenant.
+
+Example response:
+
+```json
+{
+  "regions": [
+    {
+      "name": "EU",
+      "displayName": "Europe"
+    },
+    {
+      "name": "US",
+      "displayName": "United States"
+    }
+  ]
+}
+```
+
+## Create a tenant \{#create-a-tenant}
+
+Call `POST /api/tenants` with the Logto Cloud PAT:
+
+```bash
+curl "$CLOUD_API_ENDPOINT/api/tenants" \
+  -X POST \
+  -H "Authorization: Bearer $LOGTO_CLOUD_PAT" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "'"$TENANT_NAME"'",
+    "tag": "'"$TENANT_TAG"'",
+    "regionName": "'"$REGION_NAME"'"
+  }'
+```
+
+The response includes the created tenant and a default M2M application. The M2M application is created in the new tenant and has access to the tenant's Management API.
+
+Example response:
+
+```json
+{
+  "id": "new-tenant-id",
+  "name": "My automated tenant",
+  "tag": "development",
+  "indicator": "https://new-tenant-id.logto.app",
+  "regionName": "EU",
+  "defaultApplication": {
+    "id": "default-m2m-app-id",
+    "secret": "default-m2m-app-secret"
+  }
+}
+```
+
+Save the values you need for the next step:
+
+```bash
+export TENANT_ID="<response.id>"
+export TENANT_ENDPOINT="<response.indicator>"
+export DEFAULT_M2M_APP_ID="<response.defaultApplication.id>"
+export DEFAULT_M2M_APP_SECRET="<response.defaultApplication.secret>"
+```
+
+## Get a Management API access token for the new tenant \{#get-a-management-api-access-token-for-the-new-tenant}
+
+Use the default M2M application credentials to request an access token from the new tenant:
+
+```bash
+curl "$TENANT_ENDPOINT/oidc/token" \
+  -X POST \
+  -u "$DEFAULT_M2M_APP_ID:$DEFAULT_M2M_APP_SECRET" \
+  -H "Content-Type: application/x-www-form-urlencoded" \
+  -d "grant_type=client_credentials" \
+  -d "resource=$TENANT_ENDPOINT/api" \
+  -d "scope=all"
+```
+
+Example response:
+
+```json
+{
+  "access_token": "eyJ...",
+  "expires_in": 3600,
+  "token_type": "Bearer",
+  "scope": "all"
+}
+```
+
+Save the access token:
+
+```bash
+export MANAGEMENT_API_ACCESS_TOKEN="<response.access_token>"
+```
+
+## Continue provisioning the new tenant \{#continue-provisioning-the-new-tenant}
+
+Use the Management API access token to call the new tenant's Management API.
+
+For example, list applications:
+
+```bash
+curl "$TENANT_ENDPOINT/api/applications" \
+  -H "Authorization: Bearer $MANAGEMENT_API_ACCESS_TOKEN"
+```
+
+Or create an application:
+
+```bash
+curl "$TENANT_ENDPOINT/api/applications" \
+  -X POST \
+  -H "Authorization: Bearer $MANAGEMENT_API_ACCESS_TOKEN" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "name": "My web app",
+    "type": "SPA",
+    "oidcClientMetadata": {
+      "redirectUris": ["https://example.com/callback"],
+      "postLogoutRedirectUris": ["https://example.com"]
+    }
+  }'
+```
+
+At this point, your automation can continue with any Management API operation, such as creating users, applications, API resources, roles, organizations, connectors, or sign-in experience settings.
+
+## Full automation example \{#full-automation-example}
+
+The following Node.js example creates a tenant, exchanges the returned default M2M credentials for a Management API access token, and lists applications in the new tenant:
+
+```js
+const cloudApiEndpoint = 'https://cloud.logto.io';
+const logtoCloudPat = process.env.LOGTO_CLOUD_PAT;
+
+const createTenantResponse = await fetch(`${cloudApiEndpoint}/api/tenants`, {
+  method: 'POST',
+  headers: {
+    authorization: `Bearer ${logtoCloudPat}`,
+    'content-type': 'application/json',
+  },
+  body: JSON.stringify({
+    name: 'My automated tenant',
+    tag: 'development',
+    regionName: 'EU',
+  }),
+});
+
+if (!createTenantResponse.ok) {
+  throw new Error(`Failed to create tenant: ${await createTenantResponse.text()}`);
+}
+
+const tenant = await createTenantResponse.json();
+const tenantEndpoint = tenant.indicator;
+const { id: appId, secret: appSecret } = tenant.defaultApplication;
+
+const tokenResponse = await fetch(`${tenantEndpoint}/oidc/token`, {
+  method: 'POST',
+  headers: {
+    authorization: `Basic ${Buffer.from(`${appId}:${appSecret}`).toString('base64')}`,
+    'content-type': 'application/x-www-form-urlencoded',
+  },
+  body: new URLSearchParams({
+    grant_type: 'client_credentials',
+    resource: `${tenantEndpoint}/api`,
+    scope: 'all',
+  }),
+});
+
+if (!tokenResponse.ok) {
+  throw new Error(`Failed to get Management API token: ${await tokenResponse.text()}`);
+}
+
+const { access_token: managementApiAccessToken } = await tokenResponse.json();
+
+const applicationsResponse = await fetch(`${tenantEndpoint}/api/applications`, {
+  headers: {
+    authorization: `Bearer ${managementApiAccessToken}`,
+  },
+});
+
+if (!applicationsResponse.ok) {
+  throw new Error(`Failed to list applications: ${await applicationsResponse.text()}`);
+}
+
+const applications = await applicationsResponse.json();
+
+console.log({ tenantId: tenant.id, applications });
+```
+
+## Related resources \{#related-resources}
+
+- [Personal access token](/user-management/personal-access-token)
+- [Interact with Management API](/integrate-logto/interact-with-management-api)
+- [Machine-to-machine quick start](/quick-starts/m2m)