The HTTP methods that are LRS-specific are given in the xAPI spec. Requests to the LRS (which are denoted by the xapi path prefix) must contain a Base64 encoded, colon-separated public and secret API key pair in the Authorization field of the header. For example (assuming http://example is the URL body), http://example.org/xapi/statements is the URL at which the user inserts and queries xAPI statements; other URLs are used to insert and query documents, agents, and activities.
In addition to the LRS HTTP methods, the SQL LRS supports methods for admin account creation, login, and use, as well as routes used to create and use API ; these methods are denoted by the admin path prefix.
The following examples use http://example.org as the URL body. All methods return 200 OK on success. All routes except for account/login and admin/env must contain a JSON Web Token (JWT), generated by account creation or login, in the Authorization header in the form of Bearer [JWT]; if the JWT is expired or invalid a 401 UNAUTHORIZED is returned. All methods also require that the request body be a JSON object, though the permitted values depend on the route; invalid request bodies will result a 400 BAD REQUEST error. If an error is encountered, these routes return a JSON object in the body like the following:
{
"error": "[error message]"
}POST http://example.org/admin/account/login: Log into an existing account. The request body must be a JSON object that containsusernameandpasswordstrings. The response body contains a newly generated JSON Web Token (JWT) on success. A401 UNAUTHORIZEDstatus code is returned if the credentials are incorrect.POST http://example.org/admin/account/create: Create a new admin account. The request body must be a JSON object that containsusernameandpasswordstrings. The endpoint returns a JSON object with the ID (UUID) of the newly created user on success, and returns a409 CONFLICTif the account already exists.DELETE http://example.org/admin/account: Delete an existing account. The JSON request body must contain a UUIDaccount-idvalue. The endpoint returns a JSON object with the ID of the deleted account on success and returns a404 NOT FOUNDerror if the account does not exist.GET http://example.org/admin/account: Return an array of all admin accounts in the system on success.GET http://example.org/admin/me: Returns the currently authenticated admin accounts on success.
POST http://example.org/admin/creds: Create a new credential pair, with the specified scope values given by thescopesproperty in the request body.PUT http://example.org/admin/creds: Update an existing credential pair, given byapi-keyandsecret-keyproperties in the request body, with the new scopes given by thescopesproperty.GET http://example.org/admin/creds: Read all credential pairs and their associated scopes for a particular account (denoted by the JWT).DELETE http://example.org/admin/creds: Delete an existing credential pair, given by theapi-keyandsecret-keyproperties in the request body, as well as any associated scopes.
GET http://example.org/admin/env: Get select environment variables about the configuration which may aid in client-side operations. Currently returns a map containing the configuration variablesurlPrefixandenableStmtHtml.DELETE http://example.org/admin/agents: Runs a hard delete of all records of an actor, and associated records (statements, attachments, etc). Intended for privacy purposes like GDPR. Body should be a JSON object of form{"actor-ifi":<actor-ifi>}. Disabled unless the configuration variable enableAdminDeleteActor to be set totrue.