OneRoster v1.1 API
Xporter exposes a compliant IMS Global OneRoster v1.1 API that allows third-party systems to retrieve rostering data (organisations, users, classes, enrolments, and academic sessions) from schools connected to the platform.
Base URL
https://xporter.groupcall.com/api/ims/oneroster/v1p1
Authentication
The API uses OAuth 2.0 client credentials flow (Bearer token). You must obtain a token first and include it in all subsequent requests.
Step 1 — Obtain a bearer token
Send a POST request to the /token endpoint with your client_id and client_secret in a Basic Authorization header.
The Authorization header value is:
Basic <base64(client_id:client_secret)>
Example
POST /api/ims/oneroster/v1p1/token HTTP/1.1
Host: xporter.groupcall.com
Authorization: Basic Y2xpZW50X2lkOmNsaWVudF9zZWNyZXQ=
Successful response (200 OK)
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...",
"token_type": "Bearer",
"expires_in": 3600
}
Error response (401 Unauthorized)
{
"error": "invalid_client",
"error_description": "Request contains an invalid client ID or secret"
}
Step 2 — Call protected endpoints
Include the token in the Authorization header of every subsequent request:
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Supported query parameters
All collection endpoints support the following query parameters.
| Parameter | Type | Description |
|---|---|---|
limit | integer | Maximum number of records to return. Passed directly to the stored procedure. Omitting it returns all matching records. |
offset | integer | Zero-based index of the first record to return. Use with limit for pagination. |
filter | string | A single expression of the form key='value'. Only status is supported as a filter key. The enrollments endpoint ignores this filter entirely. |
Filter syntax
filter=status='active'
filter=status='tobedeleted'
Only a single key='value' expression is supported. Complex expressions with AND/OR are not parsed.
Pagination example
GET /api/ims/oneroster/v1p1/users?limit=100&offset=0
GET /api/ims/oneroster/v1p1/users?limit=100&offset=100
HTTP status codes
| Code | Scenario |
|---|---|
200 OK | Request succeeded. |
400 Bad Request | Auth token invalid/missing on a data endpoint, or a server-side error occurred. Response body is plain text (exception message), not JSON. |
401 Unauthorized | Returned only by POST /token when client credentials are invalid. |
403 Forbidden | Bearer token absent on a collection endpoint at the web proxy layer. |
When the back-end Azure Function throws (including on token validation failure), the response is 400 Bad Request with a text/plain body containing the raw exception message. Your integration must handle non-JSON 400 responses gracefully and not attempt to parse them as JSON.
Further reading
- IMS Global OneRoster v1.1 Specification
- OpenAPI Specification — machine-readable API definition
- Postman Collection — import into Postman to start testing immediately