Sign UpSign In

Authentication & Security

Lion Reader

Lion Reader takes security and privacy seriously. Whether you’re signing in with email or OAuth, managing API tokens, or connecting AI assistants, your data is protected with industry-standard security practices.

Multiple Sign-In Methods

Choose the authentication method that works best for you:

  • Email and password — Traditional authentication with Argon2 password hashing, one of the most secure hashing algorithms available
  • Google OAuth — Sign in with your Google account, with optional Google Docs access for importing documents
  • Apple Sign-In — Native Apple authentication with support for private relay email addresses
  • Discord OAuth — Connect with your Discord account for quick sign-in

All OAuth providers are optional and can be enabled or disabled per deployment. Your Lion Reader instance, your choice.

Session Management

  • Secure storage — Session tokens are stored as SHA-256 hashes, never in plain text
  • Redis caching — Sessions are cached for fast validation with a 5-minute TTL
  • Active session tracking — View all your sessions with browser, platform, IP address, and last active timestamp
  • Revocation — Revoke any session instantly from the settings page

API Tokens

Connect external tools and scripts to your Lion Reader account with API tokens:

  • Scoped permissions — Tokens can be limited to specific capabilities like saved:write or mcp
  • Expiration dates — Set automatic expiration for temporary access
  • Usage tracking — See when each token was last used
  • Perfect for extensions — Use API tokens to connect browser extensions, the MCP server, or the Discord bot

Security Features

  • Rate limiting — Per-user rate limiting via Redis token bucket prevents abuse
  • Respectful fetching — Feed fetching uses exponential backoff and respects server Cache-Control headers, Retry-After directives, and HTTP 429 responses
  • Webhook verification — Email webhooks use HMAC signature verification
  • Content sanitization — All feed content is sanitized to prevent XSS attacks
  • Invite-only mode — Deploy with invite-only registration to control access

Privacy Protections

  • Subscription-based visibility — You only see entries fetched after you subscribed, preventing access to historical private content
  • Starred entry preservation — Entries you’ve starred remain visible even after unsubscribing
  • Soft deletes — Unsubscribing preserves your read state and preferences for seamless resubscription
  • Your data stays yours — No ads, no data selling, no third-party analytics. Reading behavior is used only to power features like article scoring, and self-hosting gives you full control