Available APIs
Totara has a number of APIs available, each with its own specific purpose:
External GraphQL API
Recommended API to use for external interactions between Totara and other systems. Available in Totara 17+.
Using the External GraphQL API | Developing for the External GraphQL API
AJAX GraphQL API
Recommended API to use when developing browser-based Javascript code for Totara. Available in Totara 13+.
Using the AJAX GraphQL API | Developing for the AJAX GraphQL API
Mobile GraphQL API
Designed to be used exclusively by Totara's official mobile application (Totara Mobile). Available in Totara 13+.
Using the Mobile GraphQL API | Developing for the Mobile GraphQL API
Legacy web services API
This API is not recommended, but does currently provide external access to a number of services not yet available via the GraphQL APIs. Available in all versions but now deprecated.
Using legacy web services | Developing legacy web services for Totara
The table below summarises the options and their differences in more detail.
| API | Description | Status | Availability | Technology | Target audience | Endpoint location | Authentication mechanism | Notes |
|---|---|---|---|---|---|---|---|---|
| 'External' API | Modern, fully-featured API | Preferred external API, undergoing active development | TXP17+ | GraphQL Client-defined queries Introspection via API setting | Used by developers wanting to integrate with Totara. Implemented by Totara and partner developers wanting to extend Totara's core APIs. | /api/graphql.php | OAuth 2.0 access token | Currently has limited available services but these will grow over time. |
| AJAX API | Used by Totara's client-side Javascript to obtain data from back-end server | Preferred internal API | TXP13+ | GraphQL Persisted queries only No introspection | Used by front-end developers writing Totara TUI components. Implemented by Totara and partner developers wanting to extend Totara's core TUI functionality. | /totara/webapi/ajax.php | Session ID via web cookie + CSRF token Also supports some unauthenticated 'nosession' requests | Not suitable for external access due to web cookie authentication. |
| Mobile API | Used by Totara's official mobile app to obtain data from back-end server | Preferred API for mobile development | TXP13+ | GraphQL Persisted queries only No introspection | Used by the Totara mobile app. Implemented by Totara and partner developers wanting to extend Totara's mobile app. | /totara/mobile/api.php | API key passed in request header | |
| Developer API | Used by developers while developing code for Totara | Optional API for use by developers | TXP13+ | GraphQL Client-defined queries Introspection available | Developers during code development process. | /totara/webapi/dev_graphql_executor.php | Session ID via web cookie or header | Provides access to the schema of all endpoint types. |
| Legacy web services | Historic API, built as part of Moodle. Does not implement services for Totara-specific functionality. | Deprecated - not recommended for use going forward. | All versions | REST XML-RPC/SOAP | Not recommended. | /webservice/rest/server.php /webservice/xmlrpc/server.php /webservice/soap/server.php | Custom token | Limited extensibility and token security. |