Developers have 2 ways of accessing data from a OneRoster server. OneRoster is hosted by each school district and you can connect to the server directly using OAuth1 or using the ClassLink OAuth2 Proxy.


IMS OneRoster v1.1 Specification uses OAuth1

If you want to be 100% compliant to the IMS spec, you must use OAuth1.

Accessing OneRoster using OAuth1 (Direct)

After a district has granted you access to their OneRoster server, you can connect to it directly using OAuth1 signatures. Open the ClassLink developer console and go to the OneRoster module. Click on the key next to your school to see the direct access credentials.

This will give you the server url, client secret and id.

Twitter has great documentation on generating OAuth1 signatures. We highly recommend you use a library for generating sigatures. They must be sent in each REST API request as an Authorization Header.

Each OneRoster server will have a documentation page where you can test your API KEY and secret.


Accessing OneRoster using OAuth2 (ClassLink Proxy)

The second method for accessing OneRoster data is through the ClassLink OneRoster proxy. The ClassLink OneRoster proxy will automatically direct requests to the proper OneRoster server and sign the request using OAuth1 signatures.

After a district has granted you access to their OneRoster data, all you have do to is make your request to a valid OneRoster endpoint.


You can get your application id from the developer console under OneRoster. This has an access token which is used in the API request as a bearer token.


Accessing Schools Using OneRoster Proxy

Here is an example where you use your application id for the district and you will call the endpoint as you normally would.

Use the access_token found in the Developer Console as the Bearer token.




Your access token does not expire so keep it safe! If you ever need to refresh your token, you can refresh it from the console.