Always Learning

Posted by Wes | about 3 years ago

We are demystifying the Experience API for ourselves and anyone else that wants to follow along. We have covered terminology, Activity Providers, LRS queries and LRS statements. This article will focus on using Basic Authentication to integrate an Experience API LRS with a LMS.


We have been on a journey to understand the Experience API. We previously explored the following:

Which LMS?

Integration with a LMS requires a LMS, and we happen to be familiar with and have access to LearningStudio. This conversation should continue to be useful for those using another LMS, but the LearningStudio specific features that we'll utilize will differ.

LearningStudio's Content Extension API

Integrating LearningStudio with xAPI aware content will require preparing a launch link with LRS credentials and student identifiers. LearningStudio has a useful API, and Content Extensions seem to be a good fit for what we want to accomplish. We can embed Javascript in place of HTML in a content item. The User Info Content Extension API will be used to retrieve the actor data, and a Launch Link will be placed in the page. The LRS auth and endpoint parameters will be defaulted into the link to keep this simple. The registration parameter is not required, so we’ll just omit it. We will continue using the Golf Example from as our Activity Provider.

Embed this Javascript in a HTML content item:

// load jquery if it's missing. LearningStudio will provide this.
if(!window.jQuery) {
 document.write('<script src="//"><\/script>');
// load the user info content extension from LearningStudio
$.getJSON("",function(data) {
  // abort if user data not available
  if( !data || !data.userInfo) {
      document.body.innerHTML = "Not Available";
  // create the actor parameter from the API reults
  var actor = { 
    mbox: , 
    name: (data.userInfo.firstName + " " + data.userInfo.lastName), 
    objectType: "Agent"
  // URL encode the actor data for the query string
  var actorData = encodeURIComponent(JSON.stringify(actor));
  // add a launch link to the page. auto redirect would be another option.
  document.body.innerHTML = 
      '<a target="_blank" href="' +
        '' +
        '&auth=Basic%20VGVzdFVzZXI6cGFzc3dvcmQ%3D' +
        '&actor=' + actorData +
        // '&registration=e168d6a3-46b2-4233-82e7-66b73a179727' +
        '">Golf Example</a>';


The Activity Provider’s content can now be loaded by clicking a dynamically created link in LearningStudio. The Activity Provider reports to the LRS as expected, and the statements include the student information. We're done!

Wait... Anyone else have concerns? Someone could manipulate the email address in the query string, right? We might attempt to hide this detail, but it’s still there. This would be more tamper resistant if the credentials were specific to the email address, but that’s not the case here. What other options do we have?

Let’s explore if replacing Basic Authentication with OAuth overcomes this concern!

What's next?

We now know that using an Activity Provider's generic credentials for Basic Authentication will not suit our needs. The authentication should be unique to the student to prevent tampering with the statement's actor. We need to figure this out! The next article in this series will focus on using OAuth to integrate a xAPI LRS with a LMS. Afterwards, we'll revisit submitting our own xAPI Statements to a LRS.

Feel free to jump ahead to other articles in this series:

Also, definitely check out and's xAPI standard for more in-depth details. We are just scratching the surface with this whirlwind tour, and those resources were our reference. We would like to give credit and a BIG THANKS to the maintainers of both!


Average: 3 (2 votes)

17855 reads
Always Learning