During the LTI 1.3 launch, extract the context_memberships_url from the https://purl.imsglobal.org/spec/lti-nrps/claim/namesroleservice claim in the id_token JWT
Use the client_id and platform OIDC token endpoint to request a service access token with scope https://purl.imsglobal.org/spec/lti-nrps/scope/contextmembership.readonly
GET the context_memberships_url with Authorization: Bearer {token} and Accept: application/vnd.ims.lti-nrps.v2.membershipcontainer+json
Parse the members array in the response; each member includes user_id, roles (Learner, Instructor, etc.), and optionally name and email if permitted
Follow the Link: rel=next header if present to page through rosters larger than the platform's default page size
Cache the roster keyed by user_id and refresh on a scheduled basis or on each new tool launch for that context
Known gotchas
NRPS access tokens are short-lived (typically 3600 seconds) and scoped to a single service — do not reuse tokens across different LTI services like AGS
Some platforms omit PII (name, email) from NRPS responses unless the tool has been granted the relevant privacy permission in the platform's tool configuration
The context_memberships_url is unique per deployment and context; it cannot be constructed from a known pattern and must be captured fresh from each launch
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp