Discourse Login Setup
New Changes
Starting with Lexicon version 3.0.0, additional setup is required to enable login and registration through the Lexicon mobile app. All login and authentication processes are now managed via the Discourse web view.
This update transitions the mobile app's authorization from a cookie-based implementation to the User API Key system provided by Discourse. This change enhances the security of the Lexicon mobile app and ensures it interacts with Discourse APIs using API keys instead of cookies, following Discourse's recommendations.
For more detailed information about User API Keys, refer to the official Discourse documentation on User API Keys.
Require Discourse Setup
To enable login on the Lexicon mobile app, the following configurations are necessary:
- Max limit request User Api Keys
auth_redirect
url to redirect back to with the generated token
Increasing User API Keys Request Limits
Discourse imposes rate limits on User API Keys requests per minute and per day. Exceeding these limits will result in an error:
You’ve performed this action too many times. Please wait 1 minute before trying again.
.
The default value for max limit User Api Keys request is
max_user_api_reqs_per_minute = 20
max_user_api_reqs_per_day = 2880
Discourse allow to change max limit request. There are two way change this value based on development or production.
Development
To adjust the request limit for User API Keys on your local Discourse instance, modify the discourse/config/discourse_defaults.conf
file. Locate the following section:
### rate limits apply to all sites
max_user_api_reqs_per_minute = 20
max_user_api_reqs_per_day = 2880
Update the values based on the limits you want to set:
### rate limits apply to all sites
max_user_api_reqs_per_minute = 2000
max_user_api_reqs_per_day = 288000
This will increase the request limits accordingly.
Production
To modify the maximum request limits for User API Keys on your Discourse server, you need to update the app.yml
file located in the var/discourse/containers
directory.
Follow these steps:
-
Connect to your Discourse server
Log in to your server via SSH:ssh root@<ip_address>
-
Navigate to the containers directory
Change to the directory where the configuration file is located:cd /var/discourse/containers
-
Edit the
app.yml
file
Open the file using a text editor:nano app.yml
-
Update the environment variables
Under theenv
section of the file, add or modify the following values to set the desired request limits:DISCOURSE_MAX_USER_API_REQS_PER_MINUTE: 200
DISCOURSE_MAX_USER_API_REQS_PER_DAY: 28800 -
Rebuild the Discourse container
After saving the changes, rebuild the container to apply the updates:cd ..
./launcher rebuild app
Auth Redirect Token
The auth_redirect
parameter is required when generating links for User API Keys, as explained in the Discourse Official Documentation on User API Keys.
Discourse uses the auth_redirect
URL to redirect users after they authorize their account. The URL will return the User API Key payload, for example: {discourse_url}/auth_redirect?payload={Api_key}
. This payload is used to authorize the user when using the Lexicon mobile app.
Here ’s how to set up your own auth_redirect
:
-
Access your Discourse Admin Dashboard
As an admin user, log in to your Discourse admin panel. -
Navigate to the Settings Tab
In the admin dashboard, go to the Settings tab. -
Search for "Allowed User API Auth Redirects"
Use the search function to findAllowed user API auth redirects
. -
Add the URL
Add the new URL based on theauthRedirect
constant defined in the filefrontend/src/screens/AuthenticationWebView.tsx
. By default, the base URL used isdiscourseHost
fromfrontend/Config.ts
, and the path is/auth_redirect
. You can customize this path as needed.Ensure that the URL registered in Discourse under Allowed User API auth redirects matches the
authRedirect
URL. -
Test the Login
After adding the URL, try logging in using the Lexicon mobile app.
New Login Flow for Lexicon Mobile App
The new login process in the Lexicon mobile app is handled through a Discourse login web view. When a user attempts to log in, the app will open a web view that directs the user to a new URL, generating a User API Key. After entering their username and password and clicking "Authorize," the user will receive a new User API Key that grants access to all features of the Lexicon mobile app.
Follow these steps to complete the new login flow in the Lexicon mobile app:
- Open the Lexicon Mobile App
Upon opening the app, the first page displayed will be theWelcome
page.

- Click the "Get Started" Button
Tap theGet Started
button to initiate the Discourse login web view.

-
Enter Your Credentials
On the Discourse login page, enter your username and password, then click theLog In
button. -
Authorize Your Account
After a successful login, you'll be redirected to a page asking you toauthorize
your account to access the app.

- Click "Authorize"
Tap theAuthorize
button to generate your new User API Key. Afterward, you will be redirected to theHome
page of the Lexicon mobile app, where you can begin using all available features.
Checking and Revoking Your User API Key
You can check if the User API Key was successfully created and revoke it if needed. To do this, you’ll need to access your Discourse Profile Settings.
Follow these steps to view and manage your User API Key:
-
Log in to Your Discourse Account
Go to the Discourse website and log in to your account. -
Access Profile Settings
Open theProfile -> Preferences -> Security
tab.

- Scroll to the "App" Section
Scroll down to the bottom of the page until you see theApp
section. Here, you will see a list of all User API Keys generated for your account. You can revoke any of these keys, which will automatically log you out of the Lexicon mobile app.

The implementation of User API Keys in the Lexicon mobile app is based on the Discourse mobile app. You can review the relevant code in this GitHub file.