Always Learning

Posted by Wes | about 4 years ago

We are demystifying the Experience API for ourselves and anyone else that wants to follow along. We recently explored Basic Auth and OAuth as methods of integrating a LRS and LMS. This article will focus on the upcoming CMI-5 standard, which addresses the LMS use case for xAPI.


We have been on a journey to understand the Experience API. We previously explored the following:

What is CMI-5?

CMI-5 is a standard being developed by AICC and ADL. The focus is on the LMS use case for xAPI. There are two components defined in the specification.

  • Course Structure defines the data model for Assignable Units in the LMS.
  • Runtime defines the interactions between LMS and Assignable Units.

Note: CMI-5 refers to Activity Providers as Assignable Units

CMI-5 Runtime

The CMI-5 Runtime defines flows for launching an Activity Provider from an LMS.

LMS Flow
  1. Store user and session data in LRS.
    • Use State API to store session details.
    • Use Agent Profile API to update learner preferences.
  2. Launch Activity Provider as configured in Course Structure.
  3. Write “Launched” statement to the LRS.
Activity Provider Flow
  1. Retrieve auth token
    • URL in “fetch” parameter is used to retrieve Basic Auth token.
    • OAuth is used if “fetch” parameter is not present.
  2. Retrieve user and session data from LMS
    • Use State API to retrieve session details.
    • Use Agent Profile API to retrieve learner preferences.
  3. Write “Initialized” statement to the LMS when successfully launched.
  4. Write “Terminated” statement to the LMS when activity ends.

Confused about the Activity Provider interacting with xAPI on the LMS? We were too... Read on!

Improved Launch Link

The specification includes this example Launch URL:
&actor={"objectType": "Agent","account": 
{"homePage": "","name": "1625378"}

Notice the “endpoint” and “fetch” parameter are the same domain. We know the "fetch" endpoint is not a function of the LRS, so both endpoints must be provided by the LMS in this example. The specification suggests the Activity Provider interacts with an API on the LMS, but the Activity Provider seems indifferent to whether it interacts with the LMS or LRS. The URL provided by the "fetch" parameter is the only LMS specific endpoint.

Expectations for the LMS

The LMS responsibilities with CMI-5 include:

  • Issue a "Launched" statement when Activity Provider is invoked.
  • Provide an endpoint for the "fetch" parameter of the Launch Link.
  • Provide a LRS or wrapper interface with xAPI endpoints. (optional?)
  • Generate short-lived tokens for user sessions.
  • Observe statements related to user sessions.
  • Incur additional processing load
  • Manage tokens for every user session.

The LMS would be taking on substantial overhead by acting as the API, but integrations with Activity Providers would be greatly improved.

Expectations for the Activity Provider

Activity Providers get new responsibilities with CMI-5 including:

  • Issue statements related to the state of a learner’s session.
  • Retrieve auth token from the “fetch” parameter for Basic Auth.

Issuing statements about learner session state would be a minor addition. A new security workflow would be a more substantial effort, and all Activity Providers might not benefit from the addition. CMI-5 is focused on the LMS. This forces Activity Providers to consider the expectations of their intended audience.

State of CMI-5

CMI-5 is still under development. The first developer release (Sandstone) occurred on May 15, 2015. This is great timing for our exploration. Our challenge will be a lack of sample Activity Providers for experimentation. LMS vendors and Activity Providers will face a similar dilemma when deciding on their future roadmaps.

What's next?

LMS vendors and the next generation of Activity Providers have prerequisite task in order for CMI-5 to be widely adopted. We believe the current generation of Activity Providers could be launched securely by applying ideas from the CMI-5 Runtime. The next article in this series will explore implementing those ideas to accommodate the simplest Activity Providers.

Feel free to jump ahead to other articles in this series:

Also, definitely check out and's xAPI standard for more in-depth details. We are just scratching the surface with this whirlwind tour, and those resources were our reference. We would like to give credit and a BIG THANKS to the maintainers of both!


Average: 1 (2 votes)

23624 reads
Always Learning