OneRoster v1.1 API

Xporter provides a school-scoped IMS OneRoster v1.1 API for partners who need to retrieve rostering data for a specific school.

This guide explains how to authenticate, which endpoints are available, and how to work with filtering, sorting, and paging.

Base URL

https://xporter.groupcall.com/api/ims/oneroster/v1p1/school

Available endpoints

The following collection endpoints are currently available:

GET /orgs
GET /users
GET /academicSessions
GET /classes
GET /courses
GET /enrollments

Version endpoints are also available:

GET /version
GET /auth/version

Authentication

The API uses a bearer token.

1. Request a token

Send a POST request to:

POST /api/ims/oneroster/v1p1/school/auth/token

Use HTTP Basic authentication.

The Basic auth username format is:

rp|estab

Where:

rp is your relying party identifier
estab is the establishment identifier
the Basic auth password is the shared secret for that relying party and school

The Authorization header therefore looks like:

Basic <base64(rp|estab:sharedSecret)>

Example token request

POST /api/ims/oneroster/v1p1/school/auth/token HTTP/1.1
Host: xporter.groupcall.com
Authorization: Basic cGFydG5lci1ycHwzMjgxMTEwOnN1cGVyLXNlY3JldA==
Accept: application/json

Successful response

{
  "access_token": "<token>",
  "token_type": "Bearer",
  "expires_in": 3600
}

Error response

{
  "error": "invalid_client",
  "error_description": "Request contains an invalid client ID or secret"
}

2. Call the API

Include the bearer token in the Authorization header for subsequent requests:

Authorization: Bearer <token>

Example:

GET /api/ims/oneroster/v1p1/school/users HTTP/1.1
Host: xporter.groupcall.com
Authorization: Bearer <token>
Accept: application/json

Query options

The following query options are supported on collection endpoints:

Parameter	Type	Description
`filter`	string	Filters the collection response.
`limit`	integer	Maximum number of records to return.
`offset`	integer	Zero-based index of the first record to return.
`sort`	string	Sort field name.
`orderBy`	string	Sort direction: `asc` or `desc`.

Filter syntax

Examples:

filter=status='active'
filter=status='tobedeleted'
filter=sourcedId='x42Y7TNMV'
filter=dateLastModified>'2026-01-01T00:00:00Z'
filter=class.sourcedId='x11BSAT6S' and role='student'

Supported operators

=
!=
>
>=
<
<=

Nested filter paths

Nested reference filters are supported for:

class.sourcedId
school.sourcedId
user.sourcedId

Paging example

GET /api/ims/oneroster/v1p1/school/users?limit=100&offset=0
GET /api/ims/oneroster/v1p1/school/users?limit=100&offset=100

Sorted and filtered example

GET /api/ims/oneroster/v1p1/school/enrollments?filter=class.sourcedId='x11BSAT6S' and role='student'&sort=dateLastModified&orderBy=desc&limit=100&offset=0

Response notes

Users

The users endpoint can return both active users and users that should be treated as deletion candidates.

Examples:

current users are returned with status: "active"
previous or leaver users are returned with status: "tobedeleted"

Key response fields: sourcedId, status, dateLastModified, username, givenName, familyName, identifier, role. The following fields are returned when non-null: email, middleName, sms, phone, enabledUser, orgSourcedIds (array of org ID strings), userIds (array of {type, identifier} objects), grades (single-element array containing the year group number as a string, e.g. ["8"]).

Enrollments

The enrollments endpoint returns nested references for:

user
class
school

beginDate and endDate are returned when present.

Classes

The classes endpoint returns: sourcedId, status, dateLastModified, title, classCode, classType. Optional sourceID fields returned when non-null:

course
school
terms (array of sourceID, type academicSession)

Date formats

The API returns:

date-only fields such as startDate, endDate, and beginDate in yyyy-MM-dd format
timestamp fields such as dateLastModified in ISO 8601 UTC format

Example:

2026-03-21T03:35:42.017Z

HTTP status codes

Code	Scenario
`200 OK`	Request succeeded.
`400 Bad Request`	Invalid query options or request formatting.
`401 Unauthorized`	Invalid client credentials on the token endpoint, or invalid or missing bearer token on a protected endpoint.
`403 Forbidden`	The token is valid but the caller is not authorised to access the requested data.
`500 Internal Server Error`	The request could not be completed because of an unexpected server-side error.

Base URL​

Available endpoints​

Authentication​

1. Request a token​

Example token request​

Successful response​

Error response​

2. Call the API​

Query options​

Filter syntax​

Supported operators​

Nested filter paths​

Paging example​

Sorted and filtered example​

Response notes​

Users​

Enrollments​

Classes​

Date formats​

HTTP status codes​

Further reading​