Skip to main content

Concepts

To provide the highest possible level of security and data segregation, authenticating to the Xporter API works differently to some other APIs that you may have encountered.

Every time a school authorises your app, we generate a schoolSecret and POST it to the authorisationURL defined for your application. These schoolSecrets must be used to generate a time limited token that is then used to authenticate to the Xporter API.

This requires that your application can accept POST requests as described in processing secrets and store these schoolSecret values for future use.

tip

You can think of this like the OAuth 2.0 client credentials grant type, where each school has a specific client_id and client_secret.

Advantages

  • No single secret to access multiple school data. In the event of a key being comprised, exposure is limited to a single school.
  • No way to cross polinate data requests. An authenticated session to Xporter can only return data for the specific authenticated school reducing the risk of data breaches.