Obtain API consumer key and secret from the Schoology API portal; for system-level integrations use two-legged OAuth 1.0a, which signs requests with the consumer key and secret without a user access token
Construct OAuth 1.0a signed requests: generate a nonce and timestamp, build the OAuth Authorization header with oauth_consumer_key, oauth_signature_method (HMAC-SHA1), oauth_timestamp, oauth_nonce, and oauth_signature
Call the schools endpoint to retrieve school identifiers, then the courses and sections endpoints to enumerate courses and sections for the target school
For each section, call the section enrollments endpoint to retrieve the list of users enrolled; use the paging parameters (start and limit) to paginate through large enrollment lists
Note the 2025 authentication update: Schoology introduced additional security measures for OAuth API keys for third-party apps from June 25, 2025; review the updated authentication documentation and ensure your re-authorization flow handles token expiry correctly
Known gotchas
The OAuth 1.0a nonce must be unique per request; reusing a nonce (e.g., from a cached request) causes authentication failure with an error that may not clearly identify the nonce as the cause
Three-legged OAuth is required for applications that act on behalf of individual users (not system-level); using two-legged OAuth for user-scoped operations returns data for the API consumer account, not the target user
Schoology's pagination uses start (offset) and limit parameters, not cursor-based pagination; concurrent requests that modify enrollment data between pages can cause records to be skipped or duplicated in the paginated output
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp