Available APIs

Totara has a number of APIs available, each with its own specific purpose:

External GraphQL API

Recommended API to use for external interactions between Totara and other systems. Available in Totara 17+.

Using the External GraphQL API | Developing for the External GraphQL API

AJAX GraphQL API

Recommended API to use when developing browser-based Javascript code for Totara. Available in Totara 13+.

Using the AJAX GraphQL API | Developing for the AJAX GraphQL API

Mobile GraphQL API

Designed to be used exclusively by Totara's official mobile application (Totara Mobile). Available in Totara 13+.

Using the Mobile GraphQL API | Developing for the Mobile GraphQL API

Legacy web services API

This API is not recommended, but does currently provide external access to a number of services not yet available via the GraphQL APIs. Available in all versions but now deprecated.

Using legacy web services | Developing legacy web services for Totara

The table below summarises the options and their differences in more detail.

APIDescriptionStatusAvailabilityTechnologyTarget audienceEndpoint locationAuthentication mechanismNotes
'External' APIModern, fully-featured API

Preferred external API, undergoing active development

TXP17+

GraphQL

Client-defined queries

Introspection via API setting

Used by developers wanting to integrate with Totara.

Implemented by Totara and partner developers wanting to extend Totara's core APIs.

/api/graphql.phpOAuth 2.0 access tokenCurrently has limited available services but these will grow over time.
AJAX APIUsed by Totara's client-side Javascript to obtain data from back-end serverPreferred internal APITXP13+

GraphQL

Persisted queries only

No introspection

Used by front-end developers writing Totara TUI components.

Implemented by Totara and partner developers wanting to extend Totara's core TUI functionality.

/totara/webapi/ajax.php

Session ID via web cookie + CSRF token

Also supports some unauthenticated 'nosession' requests

Not suitable for external access due to web cookie authentication.
Mobile APIUsed by Totara's official mobile app to obtain data from back-end serverPreferred API for mobile developmentTXP13+

GraphQL

Persisted queries only

No introspection

Used by the Totara mobile app.

Implemented by Totara and partner developers wanting to extend Totara's mobile app.

/totara/mobile/api.phpAPI key passed in request header
Developer APIUsed by developers while developing code for TotaraOptional API for use by developersTXP13+

GraphQL

Client-defined queries

Introspection available

Developers during code development process./totara/webapi/dev_graphql_executor.phpSession ID via web cookie or header

Provides access to the schema of all endpoint types.

Legacy web servicesHistoric API, built as part of Moodle. Does not implement services for Totara-specific functionality.

We do not recommend using where there is an 'External' API for the same service.

We intend to deprecate and remove the legacy web services when the 'External' API has similar service coverage.

All versionsREST XML-RPC/SOAPNot recommended.

/webservice/rest/server.php

/webservice/xmlrpc/server.php

/webservice/soap/server.php

Custom tokenLimited extensibility and token security.