Passwordless signin via link generated by api

Is it possible? I didn’t see this feature in api.
I saw that passwordless signin via email link is already planned. Maybe this feature would also be possible?
Use-case: users of my android application are signing in with discourse login api. Now in the application, I show some topics to the users which might be of their interest and want to post somthing. When they click on the topic name, I want to open a webpage with that topic being opened and they would be already logged in. They have already logged in to the app, and I dont want to show another loginpage to them.

The easiest solution is to make your app’s server be the SSO master. You can search here for sso #howto.

My problem is not SSO. Discourse is already the source of authentication for my users.
they login to my app, I do an api call to discourse to see if the user/pass is correct
now inside app there are some topics from my forum shown. I want the user to be able to click on that topic and a browser or perhaps webview would open that topic while the user is already logged in to the browser too.

If they get a user api key like our mobile app does then it solves both issues in one go, its a tricky protocol but was designed for this exact problem.


I cant understand it @sam, How I can automatically login to a browser by user api key? Can you give me an example?

As Sam said, the official Discourse mobile app does it, and that’s open source.


I’ve tested the mobile app already. I don’t know exactly but it seems it isn’t what I want. I did the following scenario:

1- login in the mobile app
2- went to chrome browser and logged out there
3- came back to mobile app, and I was logged out here too and it didn’t automatically login.

in the third step, I expect the mobile app to be able to automatically login me again.

Is there any plan to do this? Or should we go for a plugin? I also need this feature. And since it has already been implemented for email, I think its also possible for api to do it.

@hosna the feature already exists; go to the homepage here, log out, and select “email” as login type.

It is default off though. Do you think we should make it default on for 2.2 @sam?

1 Like


I want to generate passwordless signin link via api. I dont want to send the link via email

Then you want SSO. Search for SSO here.

I think I also dont want SSO . As explained here by @parisa , I also have my application signing in with discourse api. Now I want to put a link to specific topic inside my application. When user clicks on it, they would be redirected to a specific topic, while they should be already sign in (they shouldn’t need to write their username and password)

That’s SSO, exactly what you described.

1 Like

Yes I would like to change this to default on. I just flicked this to enabled by default.

1 Like

This is very confusing to me. If you make this API call you get the _t cookie back which you can use. So just use that in your web view?

Or do you somehow have the master API key embedded in your app, if that is the case I would urge you to rethink this asap.

1 Like

No The master api key is not embedded in app. It is embedded in a php code. then I post username and password of user to that php code and check if they are valid. If so, the user is authorized to login to app.