Hi, for having a more secure AutoLogin features, it would be possible to implement this behaviour:
- external software execute an authenticated API call (server to server) that generate an unique token, given the user to logon and the shared secret
- the API call create and returns a unique token that reference or contains the user data
- external software redirect user to an AutoLogin link passing only the unique token
- after AutoLogin link is processed, the unique token is removed