Totara has a number of APIs available, each with its own specific purpose:
...
| API | Description | Status | Availability | Technology | Target audience | Endpoint location | Authentication mechanism | Notes |
|---|---|---|---|---|---|---|---|---|
| 'External' API | Modern, fully-featured API | Preferred external API, undergoing active development | TXP17+ | GraphQL Client-defined queries Introspection via API setting | Used by developers wanting to integrate with Totara. Implemented by Totara and partner developers wanting to extend Totara's core APIs. | /api/graphql.php | OAuth 2.0 access token | Currently has limited available services but these will grow over time. |
| AJAX API | Used by Totara's client-side Javascript to obtain data from back-end server | Preferred internal API | TXP13+ | GraphQL Persisted queries only No introspection | Used by front-end developers writing Totara TUI components. Implemented by Totara and partner developers wanting to extend Totara's core TUI functionality. | /totara/webapi/ajax.php | Session ID via web cookie + CSRF token Also supports some unauthenticated 'nosession' requests | Not suitable for external access due to web cookie authentication. |
| Mobile API | Used by Totara's official mobile app to obtain data from back-end server | Preferred API for mobile development | TXP13+ | GraphQL Persisted queries only No introspection | Used by the Totara mobile app. Implemented by Totara and partner developers wanting to extend Totara's mobile app. | /totara/mobile/api.php | API key passed in request header | |
| Developer API | Used by developers while developing code for Totara | Optional API for use by developers | TXP13+ | GraphQL Client-defined queries Introspection available | Developers during code development process. | /totara/webapi/dev_graphql_executor.php | Session ID via web cookie or header | Provides access to the schema of all endpoint types. |
| Legacy web services | Historic API, built as part of Moodle. Does not implement services for Totara-specific functionality. | Deprecated - not recommended for use going forwardWe do not recommend using where there is an 'External' API for the same service. We intend to deprecate and remove the legacy web services when the 'External' API has similar service coverage. | All versions | REST XML-RPC/SOAP | Not recommended. | /webservice/rest/server.php /webservice/xmlrpc/server.php /webservice/soap/server.php | Custom token | Limited extensibility and token security. |
...