Available APIs
- Liam Tanner
- Bryn Whyman
- Simon Coggins
Totara has a number of APIs available, each with its own specific purpose:
External GraphQL API
Recommended API to use for external interactions between Totara and other systems. Available in Totara 17+.
Using the External GraphQL API | Developing for the External GraphQL API
AJAX GraphQL API
Recommended API to use when developing browser-based Javascript code for Totara. Available in Totara 13+.
Using the AJAX GraphQL API | Developing for the AJAX GraphQL API
Mobile GraphQL API
Designed to be used exclusively by Totara's official mobile application (Totara Mobile). Available in Totara 13+.
Using the Mobile GraphQL API | Developing for the Mobile GraphQL API
Legacy web services API
This API is not recommended, but does currently provide external access to a number of services not yet available via the GraphQL APIs. Available in all versions but now deprecated.
Using legacy web services | Developing legacy web services for Totara
The table below summarises the options and their differences in more detail.
| API | Description | Status | Availability | Technology | Target audience | Endpoint location | Authentication mechanism | Notes |
|---|---|---|---|---|---|---|---|---|
| 'External' API | Modern, fully-featured API | Preferred external API, undergoing active development | TXP17+ | GraphQL Client-defined queries Introspection via API setting | Used by developers wanting to integrate with Totara. Implemented by Totara and partner developers wanting to extend Totara's core APIs. | /api/graphql.php | OAuth 2.0 access token | Currently has limited available services but these will grow over time. |
| AJAX API | Used by Totara's client-side Javascript to obtain data from back-end server | Preferred internal API | TXP13+ | GraphQL Persisted queries only No introspection | Used by front-end developers writing Totara TUI components. Implemented by Totara and partner developers wanting to extend Totara's core TUI functionality. | /totara/webapi/ajax.php | Session ID via web cookie + CSRF token Also supports some unauthenticated 'nosession' requests | Not suitable for external access due to web cookie authentication. |
| Mobile API | Used by Totara's official mobile app to obtain data from back-end server | Preferred API for mobile development | TXP13+ | GraphQL Persisted queries only No introspection | Used by the Totara mobile app. Implemented by Totara and partner developers wanting to extend Totara's mobile app. | /totara/mobile/api.php | API key passed in request header | |
| Developer API | Used by developers while developing code for Totara | Optional API for use by developers | TXP13+ | GraphQL Client-defined queries Introspection available | Developers during code development process. | /totara/webapi/dev_graphql_executor.php | Session ID via web cookie or header | Provides access to the schema of all endpoint types. |
| Legacy web services | Historic API, built as part of Moodle. Does not implement services for Totara-specific functionality. | We do not recommend using where there is an 'External' API for the same service. We intend to deprecate and remove the legacy web services when the 'External' API has similar service coverage. | All versions | REST XML-RPC/SOAP | Not recommended. | /webservice/rest/server.php /webservice/xmlrpc/server.php /webservice/soap/server.php | Custom token | Limited extensibility and token security. |