Using OAuth

Lou Wolford edited this page Sep 22, 2016 · 7 revisions

To enable OAuth on the LRS (it is not set by default), make sure the OAUTH_ENABLED flag in settings is set to True. If you aren't yet a registered user on the LRS, you must first register as one to be able to register a client(/XAPI/register).


After you do, to create an OAuth1 client visit the OAuth client registration page (/XAPI/regclient). You will be asked to supply a client name, description, and if you're using your RSA Signature workflow, that as well. Once your client has been registered, you will be assigned a Client Identifier and Client Shared-Secret.

  1. Request (GET) the temporary credentials at the Request Token (/XAPI/OAuth/initiate) endpoint (your headers should contain at minimum the oauth_consumer_key (client identifier), oauth_signature_method, scope, oauth_callback, and oauth_signature parameters). For more on what parameters are required and optional, please view the Oauth1a spec. Also note that scope is not included in the OAuth1 spec, it is exclusive to the xAPI spec.

  2. The LRS will respond with the oauth_token, oauth_token_secret and oauth_callback_confirmed.

  3. Your client should redirect you to the LRS auth endpoint (/XAPI/OAuth/authorize) with the oauth_token. Here you will confirm the scope of the client and give it permission to act on your behalf.

  4. The LRS then redirects you back to your client, via your oauth_callback, with the oauth_token and oauth_verifier. If you used 'oob' (out of band) as your oauth_callback the LRS will instead generate the oauth_verifier and ask you to input it into your client).

  5. Your client should then make a GET request to the LRS access token endpoint (/XAPI/OAuth/token) with at least the following headers: oauth_consumer_key, oauth_token, oauth_signature_method, oauth_verifier, oauth_signature.

  6. The LRS validates the request, and if successful returns the oauth_token and oauth_token_secret.

  7. You are then free to make authorized requests by including at minimum the following headers: oauth_consumer_key, oauth_token, oauth_signature_method, and oauth_signature.

View our OAuth examples [here] (

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.