The LMS constructs the AU launch URL by appending required query string parameters: endpoint (LRS xAPI endpoint), fetch (one-time fetch URL for the authorization token), registration, activityId, and optionally actor and returnURL
The AU calls the fetch URL via HTTP POST to exchange it for a single-use authorization token; the fetch URL is one-time-use only and must not be called more than once
The AU uses the retrieved authorization token as the Bearer token for all xAPI statements sent to the LRS endpoint during the session
The AU sends the required cmi5-defined xAPI statements in order: initialized (on load), then passed/failed/completed as appropriate, then terminated (on close); these must use the cmi5 category activity ID
The LMS tracks session state via the xAPI State API (using the cmi5LearnerPreferences and LMS.LaunchData state resources) rather than SCORM's session variables; implement state reads before the AU begins its interaction
Known gotchas
The fetch URL is explicitly one-time-use; a retry after network failure reuses the same URL and will receive an Already in Use or Expired error, leaving the AU unable to obtain an auth token — implement pre-launch network checks
The activityId in the launch URL must be used as the Object id in all cmi5-defined statements; using a different id breaks the LMS's ability to correlate statements to the specific AU instance
cmi5 prohibits sending a passed statement without a score and prohibits sending both passed and failed in the same session; AU authors from SCORM backgrounds frequently violate these constraints when porting courses
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp