Accessing User Data


Authorization Header

All the REST APIs require the Authorization header with Bearer {access_token} obtained from the previous step.

You can now use the access_token to access data for the currently logged in user. The root endpoint for accessing data can be found at and documented in the OneClick SSO REST API section.

Get User Info##

Let's fetch the user info for the currently logged in user with your access token! If you are looking for identity information, you can use the endpoint.

Simply do a GET request with Authorization : Bearer {access_token} as a header to


The API will respond with details related to the user.



The TenantId will identify which district the user is from. Please make sure you know what tenantId is assigned to the school district you are working with

UserIdUnique ID assigned to the user within ClassLink
TenantIdID assigned to the school district. Ensure you are working with users in the proper Tenant ID.
LoginIdAD username if it exists. Most school districts use Active Directory and this will be populated with their AD username.
TenantName of the school district the user is from.
BuildingName of the domain. Most districts usually just have one building/domain configured.
Roleavailable roles are Student, Teacher, Tenant Administrator
SourcedIdIf the district has OneRoster enabled, this will have the sourcedId of the user from OneRoster.


Access Denied!

Some endpoints may not work if you do not request the proper scopes.

Open ID

Another way is through the id_token. To get the user info, simply take the id_token, go to, and it would decode the id_token. Only view the Payload section.

issString identifying the party that issued this state value.
subString identifying the subject that this state value is intended for.
audString identifying the client that this state value is intended for.
nonceValue used to associate a Client session with an ID Token.
expThe expiration time on or after which the JWT MUST NOT be accepted for processing.
iatTimestamp of when this Authorization Request was issued.
auth_timeTime when the authentication occurred.
login_hintHint to the Authorization Server about the login identifier the End-User might use to log in (if necessary).
email_verifiedThe e-mail address was controlled by the End-User at the time the verification was performed.
emailEnd-User's preferred e-mail address.
nameEnd-User's full name in displayable form including all name parts, possibly including titles and suffixes, ordered according to the End-User's locale and preferences.
profileURL of the End-User's profile page. The contents of this Web page SHOULD be about the End-User.
addressEnd-User's preferred postal address.
localityEnd-User's locale.
regionEnd-User's time zone.
rfpString containing a verifiable identifier for the browser session, that cannot be guessed by a third party.



rfp parameter will only show up if state query parameter is used in launch link.