REST API & authentication

EduPrime exposes a documented REST API so integrators can read and write data – students, enrolments, invoices, results – from external systems. Access is authorised with OAuth 2.0 and governed by rate limits and scopes.

Where to find it — App drawer → Virtual Classroom → Attendance.
REST API & authentication
REST API & authentication in EduPrime.

Base URL & versioning

All API calls go to your institution’s host under a versioned path:

https://your-institution.eduprime.app/api/v1/

The version segment (/v1/) is part of the URL so that future breaking changes ship as /v2/ without disrupting existing integrations. All requests and responses use JSON; send Content-Type: application/json and Accept: application/json.

OAuth 2.0 authentication

The API is protected by OAuth 2.0. For server-to-server integrations, use the client-credentials grant:

  1. Register an API client in Settings → API & Integrations to obtain a client_id and client_secret.
  2. Assign the client the scopes it needs (e.g. students:read, invoices:write) – least privilege.
  3. Exchange the credentials for a short-lived access token at the token endpoint.
  4. Send the token as a Bearer header on every API call; refresh it before it expires.

Key concepts

ConceptMeaning
ResourceA collection such as /students, /enrolments, /invoices
ScopeA permission granted to a client, e.g. results:read
PaginationList endpoints page results – pass ?limit= and ?offset=
FilteringNarrow lists with query params, e.g. ?programme=BSC-CS
IdempotencySend an Idempotency-Key on writes so retries do not duplicate

Rate limits

Each client is rate-limited to protect the platform. Responses carry X-RateLimit-Limit, X-RateLimit-Remaining and X-RateLimit-Reset headers; exceeding the limit returns HTTP 429. Back off using the reset header rather than retrying immediately.

Tip — For nightly syncs, request only what changed using an updated_since filter instead of pulling the full dataset. It is faster, kinder to your rate budget, and avoids re-processing unchanged records.

Example request

First exchange credentials for a token, then call a resource:

curl -X POST https://your-institution.eduprime.app/api/v1/oauth/token \
  -H "Content-Type: application/json" \
  -d '{"grant_type":"client_credentials","client_id":"YOUR_ID","client_secret":"YOUR_SECRET","scope":"students:read"}'

# then, using the returned access_token:
curl https://your-institution.eduprime.app/api/v1/students?limit=50 \
  -H "Authorization: Bearer ACCESS_TOKEN" \
  -H "Accept: application/json"

Important — The API returns personal data and respects the same record rules as the interface – a client cannot read what its scopes and the underlying role do not permit. Store the client_secret securely (never in client-side code or a public repo), rotate it periodically, and revoke any client that is no longer in use.
Was this page helpful?