Autologin path is: WebRTC Client — WCS — Authentication server

Here authentication server might be your web server with a simple php script that returns an appropriate XML back upon request from WCS3

Actions:

1. WebRTC Client sends an unique token to WCS3.
The token might be web sessionId or other unique identifier saved at your database or generted on demand.
For example you can generate the token using some private key:
encrypt(sipLogin+”,”+sipPassword+”,”+outboundProxy…)
then decrypt the token upon WCS request: decrypt(token) to restore SIP credentials.

Main idea: you manage the token, you generate it and you restore SIP credentials by this token, you can limit the token expiration date. So nobody can use old or expired token for a call.

2. WCS sends authentication request to Auth Server.
For example: http://yourserver.com?token=12345qwerty

3. Auth server pulls SIP credentials from a database or decript it using a shared secret key and wraps the extracted credentials into valid XML.

4. WCS uses the received SIP creentials to REGISTER on SIP server.

So, only WCS server itself has access to the SIP credentials and the credentials are not available for end-user.

By default WCS uses 2 static Auth Server urls in flashphoner.properties:
auto_login_url =/usr/local/FlashphonerWebCallServer/conf/account.xml
get_callee_url =/usr/local/FlashphonerWebCallServer/conf/callee.xml

The URLs can be dynamic. For example PHP.

Please read more here