The AJAX API makes use of a session cookie combined with a cross-site-request-forgery (CSRF) token for authentication, so is only suitable for web-based requests that have access to cookies. For other types of API access, see the Available APIs page.
Because the AJAX API relies on persisted queries and requires a valid CSRF token on all requests, it is not the ideal endpoint to use for development. If you are developing new API requests we recommend using the developer API to construct your requests, then creating persisted queries in code when you are ready to use them.
The AJAX GraphQL API endpoint is located at:
Requests to the AJAX endpoint must send the Totara session cookie and a CSRF token. It is not normally necessary to make requests in this way (use the developer API instead), but, if required, the structure of requests is as follows:
If you need to replicate an existing AJAX request for debugging purposes, modern browsers typically offer an option to Copy to cURL when viewing network requests, which can make it straightforward to get the equivalent query. Open the browser development tools and look for the Fetch/XHR request you are interested in on the Network tab, then select Copy > Copy as cURL:
You can then paste into a terminal window and edit as required.
To manually obtain a valid session cookie, log in to Totara as the user you wish to make requests as, then open Developer Tools and locate the page cookies. For Chrome this can be found under Application > Storage > Cookies, then the URL of the site.
The Name of the cookie will typically be 'TotaraSession', but may also have an additional string added if the sessioncookie admin setting (Quick-access menu > Server > Session handling) is non-empty.
If theoperationNameends with_nosessionthen it indicates no Totara session is required, and the request will be completed without requiring either a Totara session cookie or the CSRF token.