Prerequisite Moodle site configured to use https (e.g. using ngrok with $CFG->sslproxy set to true) Mobile device with a QR code reader app As the site admin, ensure that Mobile services are enabled in Site administration > Advanced features As the site admin, ensure that the Mobile app > Mobile app authentication > QR code access setting is sett to QR code with automatic login Automatic login via QR code as a non-admin user Now, login into the Moodle site with a non-admin user account Go to the user profile page. Confirm that you can see the "View QR code" button in the " Mobile app " section of your profile page. Confirm that the message above the "View QR code" button says at the end "The QR code will expire in 10 mins." Click the "View QR code" button and scan the QR code with a phone Copy the scanned text result somewhere on your computer Open the console and execute this curl request replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for. curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool" Confirm that: In the response to the curl request you see three fields: token, privatetoken and warnings Warning is empty token and privatetoken are not empty Open the console and execute this new curl request (let's call this " core_webservice_get_site_info "), replacing the SITE_URL and TOKEN with value of the token field from the previous curl request curl 'SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'wsfunction=core_webservice_get_site_info&wstoken=TOKEN' | python -m "json.tool" Confirm that you see information about the site (site name, version) among other fields in the response. Set a custom " QR authentication key duration " value As the site admin, set the Mobile app > Mobile app authentication > QR code access setting to 10 seconds Now, login into the Moodle site with a non-admin user account Go to the user profile page. Confirm that you can see the "View QR code" button in the " Mobile app " section of your profile page. Confirm that the message above the "View QR code" button says at the end "The QR code will expire in 10 seconds." Click the "View QR code" button and scan the QR code with a phone Copy the scanned text result somewhere on your computer Wait for at least 10 seconds so we are sure that the code has expired Open the console and execute this curl request replacing SITE_URL and YOUR_QR_LOGIN_KEY with the value of the qrlogin parameter from the scanned text and USERID with the id of the user the code was generated for. curl 'SITE_URL/lib/ajax/service.php' -A "MoodleMobile" --data-binary '[{"index":0,"methodname":"tool_mobile_get_tokens_for_qr_login","args":{"qrloginkey": "YOUR_QR_LOGIN_KEY", "userid": "USERID"}}]' | python -m "json.tool" Confirm that: The curl response is an exception with a message "Expired key" Test auto-login minimum time between requests for keys As a Moodle admin now go to Site administration > Mobile app > Mobile authentication Set the field "Minimum time between auto-login requests" to a value of "30 minutes", and Save changes Open a new incognito tab in the browser and get a normal token and private token via this URL (replace U with username and P with the user password): https://SITE_URL/login/token.php?username=U&password=P&service=moodle_mobile_app Now, we are going to get an auto-login key that is valid for 30 minutes, we need to call this WS via curl command, please, replace the token and privatetoken values with the ones from step 3. curl 'https://SITE_URL/webservice/rest/server.php?moodlewsrestformat=json' --data 'privatetoken=PRIVATETOKEN&wsfunction=tool_mobile_get_autologin_key&wstoken=WSTOKEN' --header 'user-agent: MoodleMobile' Confirm that You get as response a key and the autologin url Point your browser incognito tab to the autologin url, replacing your key and userid: https://SITE_URL/admin/tool/mobile/autologin.php?key=KEY&userid=USERID Check that you are successfully logged in. Log out from Moodle site and close the incognito tab Now, repeat the same CURL request from step 2, confirm that: You get a "autologinkeygenerationlockout" errorcode as part of a general excepttion As a Moodle admin now go to Site administration > Mobile app > Mobile authentication Set the field "Minimum time between auto-login requests" to a value of "1 minutes", and Save changes Repeat CURL request from step 2, confirm that You get as response a key and the autologin url Wait exactly 20 seconds, repeat the request again and confirm that: You get a "autologinkeygenerationlockout" error Wait 40 seconds, repeat the curl request again and confirm that: You get as response a key and the autologin url