Register your application in the ClassLink developer portal and obtain OAuth 2.0 client credentials; ClassLink uses OAuth 2.0 Bearer Token authorization for OneRoster API access
Call the ClassLink oneroster-proxy endpoint (https://oneroster-proxy.classlink.io/applications) with the Bearer token to obtain the list of districts that have authorized your application and their OneRoster server details
For each district, retrieve the server URL from the applications/{oneroster_application_id}/server endpoint; use this district-specific URL as the base for all subsequent OneRoster calls for that district
Call standard OneRoster rostering endpoints (orgs, users, classes, enrollments) at the district base URL using the access token; handle pagination with limit and offset query parameters
Store per-district server URLs and token state separately; tokens issued for one district context are not valid for another district's endpoints
Known gotchas
The oneroster-proxy layer means the server base URL varies per district; hardcoding a single base URL causes all requests after the first district to fail silently or receive another district's data
ClassLink's OneRoster implementation may return data following OneRoster 1.1 or 1.2 depending on the district configuration; validate the response schema version before assuming 1.2-specific fields are present
District admins must explicitly grant your application access in the ClassLink portal; an access grant that was revoked or has not yet been approved returns an empty district list rather than an authorization error
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp