Using the Mobile GraphQL API

The mobile GraphQL API was introduced to Totara in version 13. Its purpose is to provide an API that is used by Totara's official mobile app (Totara Mobile).

The mobile API makes use of an API key generated by the app for authentication. For other types of API access, see the Available APIs page.

Because the mobile API relies on persisted queries and requires a valid API key on all requests (which can be tricky to manually generate), it is not the ideal endpoint to use for development. If you are developing new API requests we recommend using the developer API to construct your requests, then creating persisted mobile queries in code when you are ready to use them.


The mobile GraphQL API endpoint is located at:


The mobile API only functions if the mobile app has been enabled via Quick-access menu > Plugins > Mobile > Mobile settings > Enable mobile app.


Requests to the mobile endpoint should set either the X-API-Key or Authorization header. The preferred mechanism is to use the X-API-Key header, since the Authorization header can be stripped by some web servers and proxies.

For example:

curl 'https://YOUR-SITE-URL/totara/mobile/api.php' \
  -X POST \
  -H 'Content-type: application/json' \
  --data-raw '{"operationName": "totara_mobile_me", "variables": {} }'

would return something like:

  "data": {
    "me": {
      "user": {
        "firstname": "Admin",
        "lastname": "User",
        "fullname":"Admin User",
      "system": { ... }

More information

For more information about the mobile app, see Getting started with the Totara Mobile app and Totara Mobile app architecture.