CMI5 API
The cmi5 API issues a scoped launch token for a cmi5 Assignable Unit (AU). Given the target activity, the learner (agent) and the launching origin, it creates a short-lived, store-scoped cmi5 client and returns the xAPI endpoint plus a launch token the AU uses to authenticate its xAPI traffic. Authentication, value types, and error responses are common to all TRAX APIs.
Getting access
- Enable the API. Always enabled — the cmi5 API has no feature toggle.
- Client permission. The calling client must have the
cmi5-tokenspermission enabled (Clients → edit → Permissions). Authentication is HTTP Basic — see Authentication. - Base path. Copy your client's
cmi5_endpoint(…/stores/{store}/cmi5) from the Clients page (the ⓘ info button) and append/tokens.
Create token
Creates a scoped cmi5 client and returns the xAPI endpoint and launch token for an AU launch.
POST /trax/api/gateway/clients/{client}/stores/{store}/cmi5/tokens
Path segments:
{client}— your API client id.{store}— the id of the store the token is scoped to.
Request body
| Name | Type | Description |
|---|---|---|
activity_id |
IRI | The cmi5 AU activity to launch (a URL). Example: http://example.com/courses/intro/au1 |
agent |
Agent IFI | The learner the token is issued for. Example: {"mbox":"mailto:jane@example.com"} |
origin |
string | The launching origin (the site launching the AU). Example: https://lms.example.com |
Response
On success, 200 with a JSON body:
| Field | Type | Description |
|---|---|---|
endpoint |
string (URL) | The xAPI endpoint the AU sends statements to (trailing slash included). It points at a freshly generated, store-scoped cmi5 client — a different client id from the {client} that requested the token. |
token |
string | A base64-encoded username:password launch token, used as HTTP Basic credentials against endpoint. |
Example response
{
"endpoint": "https://<host>/trax/api/gateway/clients/<cmi5-client-id>/stores/{store}/xapi/",
"token": "Y21pNS1hYmMxMjM6czNjcjN0LXA0c3N3MHJk"
}
To launch the AU, use the returned token as HTTP Basic auth (Authorization: Basic <token>) against
the returned endpoint.