REST API & authentication
EduPrime exposes a documented REST API so integrators can read and write data – students, enrolments, invoices, results – from external systems. Access is authorised with OAuth 2.0 and governed by rate limits and scopes.

Base URL & versioning
All API calls go to your institution’s host under a versioned path:
https://your-institution.eduprime.app/api/v1/
The version segment (/v1/) is part of the URL so that future breaking changes ship as /v2/ without disrupting existing integrations. All requests and responses use JSON; send Content-Type: application/json and Accept: application/json.
OAuth 2.0 authentication
The API is protected by OAuth 2.0. For server-to-server integrations, use the client-credentials grant:
- Register an API client in Settings → API & Integrations to obtain a
client_idandclient_secret. - Assign the client the scopes it needs (e.g.
students:read,invoices:write) – least privilege. - Exchange the credentials for a short-lived access token at the token endpoint.
- Send the token as a Bearer header on every API call; refresh it before it expires.
Key concepts
| Concept | Meaning |
|---|---|
| Resource | A collection such as /students, /enrolments, /invoices |
| Scope | A permission granted to a client, e.g. results:read |
| Pagination | List endpoints page results – pass ?limit= and ?offset= |
| Filtering | Narrow lists with query params, e.g. ?programme=BSC-CS |
| Idempotency | Send an Idempotency-Key on writes so retries do not duplicate |
Rate limits
Each client is rate-limited to protect the platform. Responses carry X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers; exceeding the limit returns HTTP 429. Back off using the reset header rather than retrying immediately.
updated_since filter instead of pulling the full dataset. It is faster, kinder to your rate budget, and avoids re-processing unchanged records.Example request
First exchange credentials for a token, then call a resource:
curl -X POST https://your-institution.eduprime.app/api/v1/oauth/token \
-H "Content-Type: application/json" \
-d '{"grant_type":"client_credentials","client_id":"YOUR_ID","client_secret":"YOUR_SECRET","scope":"students:read"}'
# then, using the returned access_token:
curl https://your-institution.eduprime.app/api/v1/students?limit=50 \
-H "Authorization: Bearer ACCESS_TOKEN" \
-H "Accept: application/json"
client_secret securely (never in client-side code or a public repo), rotate it periodically, and revoke any client that is no longer in use.
