Version: 1.1

Introduction

Xporter exposes a compliant IMS Global OneRoster v1.1 API that allows third-party systems to retrieve rostering data (organisations, users, classes, enrolments, and academic sessions) from schools connected to the platform.

Base URL

https://xporter.groupcall.com/api/ims/oneroster/v1p1/school

Authentication

The API uses a bearer token.

Step 1 — Obtain a bearer token

Send a POST request to the /auth/token endpoint using HTTP Basic authentication.

The Basic auth username format is:

rp|estab

Where:

rp is your relying party identifier
estab is the establishment identifier
the Basic auth password is the shared secret for that relying party and school

The Authorization header therefore looks like:

Authorization: Basic <base64(rp|estab:sharedSecret)>

Example request

POST /api/ims/oneroster/v1p1/school/auth/token HTTP/1.1
Host: xporter.groupcall.com
Authorization: Basic cGFydG5lci1ycHwzMjgxMTEwOnN1cGVyLXNlY3JldA==
Accept: application/json

Successful response (200 OK)

{
  "access_token": "<token>",
  "token_type": "Bearer",
  "expires_in": 3600
}

Error response (401 Unauthorized)

{
  "error": "invalid_client",
  "error_description": "Request contains an invalid client ID or secret"
}

Step 2 — Call protected endpoints

Include the token in the Authorization header of every subsequent request:

Authorization: Bearer <token>

Query parameter support

All collection endpoints support the following query parameters.

Parameter	Description
`limit`	Maximum number of records to return. Omitting it returns all matching records.
`offset`	Zero-based index of the first record to return. Use with `limit` for pagination.
`filter`	Filter expression using OneRoster filter syntax.
`sort`	Sort field name.
`orderBy`	Sort direction: `asc` or `desc`.

Filter syntax

filter=status='active'
filter=status='tobedeleted'
filter=sourcedId='x42Y7TNMV'
filter=dateLastModified>'2026-01-01T00:00:00Z'
filter=class.sourcedId='x11BSAT6S' and role='student'

Supported operators: =, !=, >, >=, <, <

Nested reference filters are supported for class.sourcedId, school.sourcedId, and user.sourcedId.

HTTP status codes

Code	Scenario
`200 OK`	Request succeeded.
`400 Bad Request`	Invalid query options or request formatting.
`401 Unauthorized`	Invalid client credentials on the token endpoint, or invalid or missing bearer token on a protected endpoint.
`403 Forbidden`	The token is valid but the caller is not authorised to access the requested data.
`500 Internal Server Error`	The request could not be completed because of an unexpected server-side error.

Integration checklist

Obtain your relying party identifier (rp), establishment identifier (estab), and shared secret from the Xporter platform.
Call POST /auth/token and cache the access_token — reuse it until expires_in seconds have elapsed.
When 401 is received on a data endpoint, re-authenticate and retry once.
Use limit + offset to page through large result sets. Omitting limit returns all records.
Use filter=status='active' to exclude soft-deleted records where required.
Use limit + offset to page through large result sets. Omitting limit returns all records.
Link users to classes: join users → enrollments → classes via sourcedId.
Users carry orgSourcedIds (string array) and optionally userIds (array of {type, identifier} objects).
beginDate and endDate are returned on enrolment records when present.