Totara has a number of APIs available, each with its own specific purpose:
External GraphQL API
Recommended API to use for external interactions between Totara and other systems. Available in Totara 17+.
AJAX GraphQL API
Mobile GraphQL API
Designed to be used exclusively by Totara's official mobile application (Totara Mobile). Available in Totara 13+.
Legacy web services API
This API is not recommended, but does currently provide external access to a number of services not yet available via the GraphQL APIs. Available in all versions but now deprecated.
The table below summarises the options and their differences in more detail.
|API||Description||Status||Availability||Technology||Target audience||Endpoint location||Authentication mechanism||Notes|
|'External' API||Modern, fully-featured API|
Preferred external API, undergoing active development
Introspection via API setting
Used by developers wanting to integrate with Totara.
Implemented by Totara and partner developers wanting to extend Totara's core APIs.
|/api/graphql.php||OAuth 2.0 access token||Currently has limited available services but these will grow over time.|
Persisted queries only
Used by front-end developers writing Totara TUI components.
Implemented by Totara and partner developers wanting to extend Totara's core TUI functionality.
Session ID via web cookie + CSRF token
Also supports some unauthenticated 'nosession' requests
|Not suitable for external access due to web cookie authentication.|
|Mobile API||Used by Totara's official mobile app to obtain data from back-end server||Preferred API for mobile development||TXP13+|
Persisted queries only
Used by the Totara mobile app.
Implemented by Totara and partner developers wanting to extend Totara's mobile app.
|/totara/mobile/api.php||API key passed in request header|
|Developer API||Used by developers while developing code for Totara||Optional API for use by developers||TXP13+|
|Developers during code development process.||/totara/webapi/dev_graphql_executor.php||Session ID via web cookie or header|
Provides access to the schema of all endpoint types.
|Legacy web services||Historic API, built as part of Moodle. Does not implement services for Totara-specific functionality.|
Deprecated - not recommended for use going forward.
|All versions||REST XML-RPC/SOAP||Not recommended.|
|Custom token||Limited extensibility and token security.|