Authentication & Security

Lion Reader takes security and privacy seriously. Whether you’re signing in with email or OAuth, managing API tokens, or connecting AI assistants, your data is protected with industry-standard security practices.
Multiple Sign-In Methods
Choose the authentication method that works best for you:
- Email and password — Traditional authentication with Argon2 password hashing, one of the most secure hashing algorithms available
- Google OAuth — Sign in with your Google account, with optional Google Docs access for importing documents
- Apple Sign-In — Native Apple authentication with support for private relay email addresses
- Discord OAuth — Connect with your Discord account for quick sign-in
All OAuth providers are optional and can be enabled or disabled per deployment. Your Lion Reader instance, your choice.
Session Management
- Secure storage — Session tokens are stored as SHA-256 hashes, never in plain text
- Redis caching — Sessions are cached for fast validation with a 5-minute TTL
- Active session tracking — View all your sessions with browser, platform, IP address, and last active timestamp
- Revocation — Revoke any session instantly from the settings page
API Tokens
Connect external tools and scripts to your Lion Reader account with API tokens:
- Scoped permissions — Tokens can be limited to specific capabilities like saved:write or mcp
- Expiration dates — Set automatic expiration for temporary access
- Usage tracking — See when each token was last used
- Perfect for extensions — Use API tokens to connect browser extensions, the MCP server, or the Discord bot
Security Features
- Rate limiting — Per-user rate limiting via Redis token bucket prevents abuse
- Respectful fetching — Feed fetching uses exponential backoff and respects server Cache-Control headers, Retry-After directives, and HTTP 429 responses
- Webhook verification — Email webhooks use HMAC signature verification
- Content sanitization — All feed content is sanitized to prevent XSS attacks
- Invite-only mode — Deploy with invite-only registration to control access
Privacy Protections
- Subscription-based visibility — You only see entries fetched after you subscribed, preventing access to historical private content
- Starred entry preservation — Entries you’ve starred remain visible even after unsubscribing
- Soft deletes — Unsubscribing preserves your read state and preferences for seamless resubscription
- Your data stays yours — No ads, no data selling, no third-party analytics. Your reading behavior is used only to sync your read and starred state across devices, and self-hosting gives you full control