Its seems so weak. The token is regenerated in every login or not?
You must not pass userid by get parameters. Try to implement something like OAuth2 in the external system.
I am using webservices api and I already have a user token. Is it possible to login to moodle website using that token?
Thanks
Charan