We’re developing a React Native mobile application that uses Auth0 for authentication. Our goal is to allow users to open a Rocket.Chat WebView “already logged in”, without needing to manually authenticate again inside the WebView.
Since cookies and session data from the native app are not shared with the WebView, and Auth0’s token cannot be exchanged directly with Rocket.Chat for a session, we began exploring programmatic login options.
One approach we looked at was the deprecated endpoint:
POST /api/v1/users.createToken
This endpoint appeared to solve our exact use case. It allowed an admin to generate a session token (authToken) for a user, which we could inject into the WebView via localStorage.setItem('Meteor.loginToken', token), effectively logging the user in without interaction.
Unfortunately, we realized this endpoint is deprecated and scheduled for removal in v8.0.0. Additionally, it requires the CREATE_TOKENS_FOR_USERS=true environment variable to be set, which isn’t available on Rocket.Chat Cloud or SaaS-hosted instances.
We didn’t implement it fully (as the endpoint is deactivated by default), but we’re looking for “any modern, supported alternatives” that let a backend securely generate a usable Rocket.Chat session token “without knowing the user’s password”.
We’re aware of /users.generatePersonalAccessToken, but it doesn’t provide tokens that work for session-based login (they’re for API usage only).
Our end goal is:
- Authenticate a user in the React Native app (via Auth0)
- Open Rocket.Chat in a WebView
- Log the user in seamlessly (ideally via injected session or some kind of token exchange)
Is there an official or recommended alternative to users.createToken for this purpose?