Docebo Cloud LMS API Integrations

At Docebo we believe integrating your LMS with other third party systems is key so we offer a new LMS API system for customers to leverage in order to perform integrations.

What’s the business advantage in using APIs?

A powerful Cloud LMS is one that is able to integrate with other enterprise applications, such as ERPs, HR softwares, reporting tools etc.  Interconnection between such systems is key to streamline organizational processes and improve business performance.

What can you do with APIs?

Manage user LMS accounts

Manage courses and training materials

Enroll users in courses

Get statistics about users and courses

+ more functionalities are constantly added!

How do APIs work in practice?

If your company has an intranet portal used by your employees to access other services or tools and you want them to keep using the portal for their training, you may use the API module “user” to keep user accounts synchronized between the portal and the LMS. This means that any new user created in the portal can be pushed directly to Docebo with all his/her personal information already filled in, and any user update or removal can be applied – in real-time – to the LMS without having to trigger any additional tasks or requiring HR to manually manage user records in the LMS.

You can also show users the courses they’re supposed to take from within the portal so they can access them in a single click. This can be achieved with a few APIs and Docebo’s SSO (Single Sign On) support.

What’s more, APIs are technology independent – so you can use any programming language or framework to integrate your system or application with Docebo.

If you wish to know more about Docebo APIs, have a look at our online documentation

What is a REST API

Representational state transfer or REST strictly refers to a collection of network architecture principles that outline how resources are defined and addressed. The term is often used in a looser sense to describe any simple interface that transmits domain-specific data over HTTP without an additional messaging layer, such as SOAP or session tracking via HTTP cookies.
These two meanings can conflict as well as overlap. It is possible to design any large software system in accordance with Fielding’s REST architectural style without using HTTP and without interacting with the World Wide Web. It is also possible to design simple XML+HTTP interfaces that do not conform to REST principles, and follow a model of remote procedure call instead. The difference between the uses of the term “REST” therefore causes some confusion in technical discussions. Systems which follow Fielding’s REST principles are often referred to as “RESTful”.

How REST API are implemented in Docebo

Docebo doesn’t implement a strictly RESTful paradigm, but one that is more “REST-like,” since it supports either stateless connection or stateful (depending on the Docebo configuration). In order to call a Docebo API you will need to add the method url to the standard platform url, like this:


API Authentication

Docebo APIs use the OAuth 2.0 framework in most third-party scenarios, including authentication and authorization for web servers, installed and client-side applications.

OAuth 2.0 client credentials can be obtained on the Docebo API and SSO App settings page. Your client application will request an access token from the LMS, extract a token from the response and send it to each REST API that you’d like to access.

Basic Steps

1. Obtain OAuth 2.0 credentials from the Docebo API and SSO Settings page
Create a new OAuth 2.0 application with a Client ID and Client Secret that are known to both Docebo LMS and your application. The values vary depending on the type of application. For example, a JavaScript application does not require a Client Secret, but a web server application does.

2. Set up your application
If you have a valid Client ID (and a Client Secret, optional), you can set up your application to use the proper OAuth 2.0 endpoints:
– “Authorization Endpoint”: http(s):///oauth2/authorize
– “Token Endpoint”: http(s):///oauth2/token
Docebo supports all four OAuth 2.0 authorization grants (authorization code, implicit, resource owner password credentials and client credentials) to enable our APIs in several types of clients and scenarios.

3. Obtain an access token
Before the application can access private LMS data with a Docebo API, it must obtain an access token that grants access to that API. A single access token can access multiple APIs — the “scope” parameter controls the set of resources and operations that an access token permits. Your application will send the “API” value in the scope parameter during the access-token request to use the Docebo RESTful APIs.

4. Send the access token to an API
After obtaining an access token, an application sends the token to every Docebo API in the HTTP Authorization header as follows:

GET /api/ HTTP/1.1
Authorization: Bearer

5. Refresh the access token, if necessary
Since tokens have limited lifespans, your application can obtain a fresh token using the “Token Endpoint” if it needs to access a Docebo API beyond the life of a single access token. A refresh token allows your application to obtain new access tokens.

Usage limits

To maintain optimum performance and to ensure APIs are available to all customers, Docebo’s APIs are limited to 1,000 API calls per hour from each IP address.

Legacy API Authentication

Although the legacy REST API authentication is still available in the current version for backward compatibility, this method will become unavailable with future releases, so we strongly recommend updating your API clients to use the new OAuth 2.0 framework.

The system is based on a pair of keys called: key and secret. The “key” one will be (clearly) exchanged among the systems, while the “secret” will be used to create
the concatenation parameter. The call will be executed as described, but in its header must be added the X-Authorization parameter as follows:

X-Authorization: Docebo <code>

To obtain the “<code>” value (that must be concatenated after the “Docebo” string) it is requested to proceed as follows: sha1 encoding of this concatenation: post values in the list and separated by comma, the comma itself,
the secret key (“secret”) generate the “<code>” through a base64 encooding of the “key” concatenation and with the “:” element, plus the token previously generated.

This is an example of the pseudo-code generation

$codice_sha1 = sha1(implode(‘,’, $params) . ‘,’ . $secret);
$codice = base64_encode($key . ‘:’ . $codice_sha1);

additional header row for post call:

‘X-Authorization: Docebo ‘.$code

Docebo API Documentation

Here is the list of our APIs