API Authentication Types
The API credentials for SCORM Cloud fall into one of two categories: accessing resources within an application, or managing the applications themselves. Both have a couple of types of credentials that can be used depending on what problem you are trying to solve.
Accessing Resources Within Applications
Application ID / Secret Key Pair
The Application ID (App ID) / Secret Key pair is the most basic form of authenticating a request to the SCORM Cloud API. Using this pair, any request can be made to the API and the applicable resources will be loaded. The App ID / Secret Key pair can be thought of like a username and password pair, but are strictly used with the API. These credentials will not allow you to login to SCORM Cloud, nor will your username and password allow you to use the API. You can share the App ID, but the Secret Key should remain… well, a secret!
What Are Applications?
In SCORM Cloud, applications are the entity to which a resource belongs. That means a resource belonging to one application cannot be loaded by another. Passing the identifier for the application, the App ID, as part of the credential allows us to know which group of your resources to load. For example, if you have two applications, App 1 and App 2, a course imported into App 1 will not be shown in any API requests made with the App ID for App 2.
Applications can be split in a variety of ways. Some people like having a unique application for each client. Others like to keep all of their data under a single application. There are also people who use applications for their different environments, e.g., prod, staging, dev. The choice is completely up to you, but we recommend following along the same lines as your business model. For example, let’s say you are a content distributor with a large collection of content you share with all of your clients. It might make sense to have a single application where you store all of your content. On the other hand, if you are only giving access to a subset of your content pool to each client, separating out each client would fit your model better.
When Would I Use My App ID / Secret Key Pair?
The App ID / Secret Key pair is the default authentication method for working with SCORM Cloud. The majority of the time you will use this pair for authenticating against the API. The pair will be used when acting on resources within the application whose ID you are passing along as part of the credential.
If you would like more fine-grained access to only a select number of resources within that application, or would like a credential which will only be valid for a certain amount of time, you can read about OAuth tokens under the Scoped Permissions or Time-Limited Access section.
Managing Applications
App Management App
The App Management App is very similar to the App Id / Secret Key pair listed above. There are two main differences
between the two though. The first is that the App Management App is only scoped to work with endpoints that have an
effect on applications rather than their underlying data, e.g., CreateApplication,
GetApplicationList, etc. The other
difference being that it is a singleton; there can only be ever be one App Management App.
What Is the App Management App?
The App Management App is a special kind of application which allows for control over your other SCORM Cloud applications. It has the power to create, delete, and get information regarding your other applications, but does not have the ability to read any resources belonging to the application. In other words, you can’t access any courses or registrations that were created for that application. The App Management App is helpful in automating the creation of new applications and pulling statistics about your applications. Beyond that, a different form of credential will be needed to work with the other API endpoints.
When Would I Use My App Management App Credentials?
The App Management App will only be used when working with a handful of methods in the Application Management Service. Methods that act on applications themselves rather than the data belonging to an application will require an App Management App credential. Otherwise, you will need to use App ID / Secret Key pairs for one of the other applications.
If you would like more fine-grained access to only perform certain actions on your applications, or would like a credential which will only be valid for a certain amount of time, you can read about OAuth tokens under the Scoped Permissions or Time-Limited Access section.
Scoped Permissions or Time-Limited Access
OAuth Tokens
OAuth tokens are an alternative form of authorization against SCORM Cloud. Instead of always passing your App ID / Secret Key pair with every request, you can generate an OAuth token and pass that along with the request instead. OAuth tokens can be helpful if you ever find yourself in a situation where you don’t want to use credentials that have access to do everything within the API.
What Are OAuth Tokens?
OAuth 2.0 tokens are a useful tool for additional access control measures past what the traditional App ID / Secret Key
pair provide. With traditional App ID / Secret Key pairs, anyone that has access to the credentials can make any call to
SCORM Cloud to create, read, update, or delete resources. OAuth tokens provide access to a set of API endpoints
determined by the scope(s) passed along with the request. For example, creating a token with the read scope will cause
the token to only work for endpoints that are for reading resources, e.g. GetRegistrations
and GetCourses. The scope can even be more
refined to only allow actions belonging to a certain service. The read:registration scope would allow
GetRegistrations to work, but the caller would not be authorized to access GetCourses with the provided token. A
list of scopes can be found on the API Overview page.
Additionally, OAuth tokens have an associated expiry time which limits how long a token will work for. Once the expiry time is hit, requests made with the token will no longer be authorized. There is no way to revoke a token once it is generated, so make sure the scopes and expiry time are set to appropriate values for the action you are performing.
When Would I Use OAuth Tokens?
OAuth tokens are completely optional as both OAuth tokens and App ID / Secret Key pairs can perform the same actions in terms of working with the SCORM Cloud API. The benefit that OAuth tokens have over their counterpart is an increased level of security through limiting scope and time the credentials are valid for. If you do not have any concern for the increased level of security, the App ID / Secret Key pair will be all you need.