Showing results for 
Show  only  | Search instead for 
Did you mean: 

Instructure OneRoster Authentication Specifications

Instructure OneRoster Authentication Specifications

When configuring the Instructure OneRoster API integration, you must specify your system authorization method.

For OneRoster Implementation details, refer to IMS Global OneRoster v1.1 final specification documentation.

Note: OneRoster v1.2 will require OAuth 2.0 authorization.

Note: Instructure is a OneRoster Consumer. For OneRoster Consumer and Provider definitions, view the Introduction to OneRoster.

Supported Authentication Methods 

When configuring your Instructure OneRoster integration, you must specify the integration authorization method. Instructure supports both OAuth 2.0 and OAuth 1.0a authentication configurations.

If your institution opts to use OAuth 1.0a, prevent server sync issues by providing the following server timestamp flexibility: 10 min in the past; 5 min in the future.

If your institution opts to use OAuth 2.0, the access token request authorization header includes client credentials (consumer key and secret). Additionally, if your institution has pre-defined the authorization scope, it is built into the URL upon implementation.

Learn more about OneRoster 1.1 security configuration options.

Note: When running an API call, each concurrent thread requests its own token. If a new token is issued, do not invalidate previously generated tokens. 

Additional Resources


If you find a typo or outdated info, or have a suggestion to improve this guide, please share your feedback