LTI 1.3 Verification of LMS

New Member

LTI 1.3 Verification of LMS

As part of the LTI launch process, our app needs to make a request back to the issuer at an endpoint that is different for each LMS. 


We currently do this based on the issuer, a.k.a the URL of the of the LMS instance. Because all LTI 1.3 launches go to the same endpoint in our app, and the limited information provided in that initial request, we have been largely dependent upon that issuer URL. While it generally includes the name of the platform or some other indicator of which it is, that is not guaranteed, and we’ve seen instances where the URL doesn’t include the LMS name at all - so we need a more reliable method.


We still want to keep new deployments as “hands free” as possible, so that in the future any customer could still add our app integration with minimal or no support involvement.


What is the recommended way that we can verify the identity of the app coming from Schoology? We are interested in using the client id and deployment id. Is the client id consistent once we publish our app to the public? It seems like the deployment id will change with each install, is this true?


Thanks for your help!

0 Replies