====== API Endpoints Reference ======

===== Collection API =====

All collection read/write operations go through one endpoint:

^ Endpoint ^ Method ^ Auth ^
| ''/api/apic.php'' | GET or POST | API username + key (''u'', ''k'' params) |

See [[developer:api|Collection API Reference]] for the full function list and [[developer:authentication|Authentication]] for credential setup.

===== Content Injection Pipeline =====

^ Endpoint ^ Method ^ Auth ^
| ''/api/inject.php'' | POST | Bearer token (per-pipeline key) |

See [[developer:content-injection|Content Injection Pipeline]] for request format.

===== LTI 1.3 Endpoints =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/lti-oidc-init.php'' | POST | None (public) | LTI OIDC login initiation |
| ''/api/lti-launch.php'' | POST | LTI platform JWT | LTI launch handler |
| ''/api/lti-jwks.php'' | GET | None (public) | LEAST public key set (JWKS) |

See [[developer:lti|LTI 1.3 Integration]] for full flow.

===== SAML 2.0 SSO Endpoints =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/sso/metadata.php'' | GET | None (public) | SP metadata (XML) |
| ''/sso/login.php'' | GET | None (public) | Initiates SSO — redirects to IdP |
| ''/sso/acs.php'' | POST | SAML assertion | Assertion Consumer Service |

See [[developer:sso|SSO / SAML 2.0]] for full flow.

===== xAPI Endpoints =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/xapi-statements.php'' | POST | API key header | Receive xAPI statements from external tools |
| ''/api/xapi-statements.php'' | GET | API key header | Export xAPI statements for a learner |

See [[developer:xapi|xAPI & SCORM]] for statement format.

===== SCORM Runtime =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/scorm-rte.php'' | POST | Session cookie | SCORM 1.2/2004 CMI runtime bridge |

This endpoint is called by the SCORM JavaScript API inside a SCORM launch iframe. Not called directly by external systems.

===== AI Features =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/api-ai-explain.php'' | POST | Session cookie | Real-time lesson explanation (learner-facing) |
| ''/api/api-ai-copilot.php'' | POST | Session cookie (Educator) | AI copilot: course outline, lesson improvement |

===== Training Calendar =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/api-training-calendar-ical.php'' | GET | Session cookie | RFC 5545 .ics export for calendar subscriptions |

===== URL Shortener =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/api-bitly-shorten.php'' | POST | Session cookie | Shorten KeyRing links via Bit.ly |

===== HRIS Webhook =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/api/api-hris-webhook.php'' | POST | Shared secret (per org) | Employee lifecycle events: provision, update, terminate |

Payload format:
<code json>
{
  "event":  "employee.created",
  "email":  "jane@example.com",
  "name":   "Jane Smith",
  "org_ref": "ABC123DEF456GHI"
}
</code>

===== Open Badges Public Endpoints =====

These are public (no auth required) — they serve JSON-LD for badge verification:

^ Endpoint ^ Method ^ Purpose ^
| ''/issuer.php'' | GET | Open Badges v2.0 Issuer Profile |
| ''/badge.php?r={ref}'' | GET | BadgeClass definition (JSON-LD) |
| ''/mybadge.php?r={ref}'' | GET | Assertion (JSON-LD) — shareable verification URL |

===== Health Check =====

^ Endpoint ^ Method ^ Auth ^ Purpose ^
| ''/health.php'' | GET | None | Uptime monitoring (returns HTTP 200 if healthy) |