You need a site under https to test this, you can mock the is_https function and return true always You need a new user account in the site As admin, enable Mobile services and set typeoflogin in Admin/Plugins/Web Service/Mobile to log in via browser and logout Ensure that you are not logged in the site In Chrome, enable the developer tools, and then switch to the "Mobile device emulation" tool, is an icon that displays a phone/tablet, then you can select Iphone or iPad, this will change the user-agent. Is important to use iPhone or iPad because it will help with the debugging. Point the browser to admin/tool/mobile/launch.php?service=moodle_mobile_app&passport=abc, you should be redirected to /login/index.php. Login with the account created in 2 and then you should be redirected back to admin/tool/mobile/launch.php Check that you see a screen with a link saying "Please, click here if the app does not open automatically", if you inspect the link you will see that points to moodlemobile://token=A_BASE64_STRING Using an online tool like https://www.base64decode.org/ decode the A_BASE64_STRING You will see a string separated by :::. In the Moodle database, table external_tokens, you should check that the second part of the string is the token, and the third part is the private token Repeat the process and check that this time you don't receive the private token (the private token is only returned the first time the token is created) If you repeat the steps but using the admin account, you should not receive the private token If you repeat the steps in a site not using https (with a new user account) you should not receive the private token