Obtain an OAuth 2.0 Bearer token by posting client credentials to the provider's token endpoint; OneRoster 1.2 mandates OAuth 2.0 Bearer Tokens (RFC 6750) as the only permitted authentication mechanism.
Discover available resources by reading the provider's base path — all OneRoster 1.2 REST paths use the prefix /ims/oneroster/rostering/v1p2 for the Rostering service; confirm the exact host and base URL from the provider's documentation.
Fetch orgs, courses, classes, users, and enrollments via GET on the respective endpoints (e.g., GET /ims/oneroster/rostering/v1p2/enrollments); use limit and offset query parameters for pagination.
For delta sync, apply the filter parameter dateLastModified>'{lastSyncTimestamp}' to retrieve only records changed since the previous run; the provider must support this filter per the spec's conformance requirements.
Filter on status=active to exclude soft-deleted records; records with status=tobedeleted should trigger deletion in your local system.
Write received records to your local data store, matching on sourcedId as the stable identifier; upsert on sourcedId to handle both creates and updates in a single pass.
Known gotchas
OneRoster 1.1 used OAuth 1.0a (HMAC-SHA1 or HMAC-SHA256); upgrading to 1.2 requires switching to OAuth 2.0 Bearer Tokens — mixing authentication schemes will result in 401 errors.
Not all providers implement delta sync filtering on dateLastModified even though it is required for conformance; test filter support before relying on it for incremental sync and fall back to full bulk pulls if unsupported.
Pagination behavior varies by vendor: some treat limit/offset as mandatory, others default to a small page size (e.g., 100 records) and return incomplete data silently if you do not paginate through all pages.
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp