Scholr can now teach, assess, recommend, and — as of Part 7 — bill. But there’s a wall around it. A school district has a student information system and a roster tool it already uses; an enterprise has a compliance-training library built in SCORM years ago; a university wants analytics flowing into its institutional Learning Record Store. A walled-garden LMS — however polished — cannot sell to any of them, because the first question every institutional buyer asks is “does it work with what we already have?” Interoperability standards are the price of admission to the institutional market. They are also finicky, unglamorous integration work that most tutorials skip entirely, which is exactly why getting them right is a competitive moat. This part makes Scholr a good citizen of the wider learning ecosystem through the three standards that matter: LTI 1.3, SCORM, and xAPI.
Scholr’s interop crisis was the most maddening kind: a bug that wasn’t in Scholr’s code at all, or so it seemed. A customer imported a SCORM compliance course — fire-safety training their staff had to complete — and learners dutifully finished it. The SCORM package’s own progress bar hit 100%, it showed its completion screen, everyone moved on. But Scholr’s records showed almost none of them as complete, the compliance report was a sea of red, and an auditor was due. The course worked; it reported “completed” to its embedded JavaScript API exactly as designed. The completion just never crossed the boundary from that opaque third-party package into Scholr’s tracking. Diagnosing it meant understanding a handshake most developers never see — and the fix is the spine of the SCORM section below.
Why interoperability matters: three standards, three jobs
The three standards are not competitors; they solve different problems, and a serious LMS speaks all three. LTI (Learning Tools Interoperability) connects live tools — it lets an external tool (a proctoring service, a coding sandbox, a Scholr course) launch seamlessly from inside another platform, with the user signed in and a grade flowing back. SCORM (Sharable Content Object Reference Model) packages self-contained content — it’s how a decade of corporate e-learning was authored, and supporting it means a buyer’s existing library still works. xAPI (Experience API, “Tin Can”) is the modern tracking standard — it emits granular learning records to a Learning Record Store, capturing experiences SCORM never could. The buyer expectation is blunt: LTI to integrate, SCORM to not abandon their old content, xAPI to feed their analytics.
It is worth being clear-eyed about why this is a moat rather than a chore. Standards compliance is a binary gate in institutional procurement: an RFP from a university or a Fortune-500 L&D team will list “LTI 1.3 certified,” “SCORM 1.2/2004 support,” “xAPI conformant” as hard requirements, and a product that can’t tick them is eliminated before the demo. The work is genuinely hard — these are decades-old specs with edge cases, certification suites, and interop quirks between platforms — which is exactly why a competitor who has done it well is hard to displace. The flip side is that interop is not where you innovate; it is where you meet a baseline reliably and move on. Spend your cleverness on the learning experience and your discipline on the standards, not the reverse.
| Standard | Solves | Shape | Reach for it when |
|---|---|---|---|
| LTI 1.3 | Launching live tools across platforms | OIDC launch + signed JWT + grade passback | Integrating with an institution’s LMS/tools |
| SCORM 1.2 / 2004 | Portable, self-contained content packages | Zip + manifest + a browser JS runtime API | Importing or selling legacy course content |
| xAPI / cmi5 | Granular learning-record tracking | Actor–verb–object statements to an LRS | Modern analytics, experiences beyond a course |
LTI 1.3: launching tools securely
LTI 1.3 is the modern standard, and it is built on OpenID Connect for a reason: a launch crosses a trust boundary. The institution’s LMS (the platform) hands a user off to your tool with a launch that asserts “this is user 9c3f, an instructor, in course Bio-101, and here’s where to send a grade back.” If your tool simply believes that assertion, anyone who can craft a launch request owns your tool’s view of any course’s roster and gradebook. So the entire ceremony exists to make the launch verifiable: the platform POSTs a signed JWT, and the tool validates the signature against the platform’s published keys (its JWKS endpoint) before trusting a single claim inside it.
Scholr’s validator makes the order of operations explicit, because the order is the security: verify the signature first, then check expiry, then — and only then — read the claims:
public LtiClaims validate(String token) {
String[] segs = token.split("\\.", 2);
if (!verifySignature(segs[0], segs[1])) {
throw new InvalidLaunchException("bad signature — launch not trusted"); // never trust unsigned
}
Map<String,String> claims = decode(segs[0]);
if (now().getEpochSecond() > parseExp(claims)) {
throw new InvalidLaunchException("launch token expired"); // replay protection
}
return new LtiClaims(claims.get("sub"), claims.get("context_id"), /* roles, AGS url … */);
}The full launch is a short dance, and it’s worth knowing the steps because each exists for a security reason. It is a third-party-initiated OIDC login: the platform first hits your tool’s login-initiation URL (telling you “a launch is coming, from this issuer”); your tool redirects back to the platform’s auth endpoint with a state and a nonce it generated; the platform then POSTs the actual signed launch (the id_token JWT) to your tool’s redirect URI. Your tool validates the signature, confirms the nonce matches the one it issued (blocking replay), checks iss/aud/exp, and only then renders. The round-trip feels like ceremony, but every leg closes a specific attack: the nonce stops a captured launch from being replayed, the issuer/audience checks stop a launch meant for someone else from being accepted, and the signature is the root of all the trust.
(In production the signature is RS256 verified against the platform’s JWKS; the reference code uses an HMAC stand-in so the security logic is real and testable without a key-distribution dance — the JWKS verification plugs in exactly where the signature check lives.) Two LTI services build on the validated launch. Deep Linking lets an instructor browse your tool from inside their LMS and embed a specific Scholr course as an assignment. And AGS (Assignment and Grade Services) is grade passback — when a learner finishes, your tool POSTs their score to the platform’s gradebook at the line-item URL the launch provided:
public void passbackGrade(LtiClaims launch, int scorePercent) {
if (launch.lineItemUrl() == null) throw new IllegalStateException("no AGS line item");
ltiPlatform.sendGrade(launch.lineItemUrl(), launch.subject(), scorePercent); // score → gradebook
}A third LTI service is the unsung workhorse of real deployments: NRPS (Names and Role Provisioning Services), the roster API. Without it, an instructor would have to manually reconcile who is in their course; with it, your tool can pull the membership list for a context — who is enrolled, in what role — directly from the platform, so a Scholr course launched into a university class automatically knows its roster. NRPS is also a privacy boundary worth respecting: it returns the platform’s stable user identifiers and only the personal fields the institution chose to share, so your tool should key learners by that opaque subject identifier (exactly what the launch’s sub claim carries) rather than assuming it gets names and emails. Identifying users by a stable, opaque id rather than PII is both an LTI convention and good data-minimization hygiene.
One framing decision shapes all of this: are you an LTI tool (you launch inside someone else’s platform) or an LTI platform (others launch inside you)? Most LMSs are both at different moments, but they are different roles with different responsibilities, and conflating them is a common source of confusion. Scholr is primarily a tool here — launched by an institution’s LMS — which is the role that opens the institutional market.
SCORM: supporting content you didn’t author
SCORM is older, clunkier, and unavoidable, because an enormous amount of existing corporate training is SCORM and buyers will not re-author it. A SCORM package is a zip containing HTML/JS content plus an imsmanifest.xml that declares the title and the launch file. Importing one means reading that manifest — and here is the first lesson, because a SCORM package is untrusted third-party content. A naive XML parser is vulnerable to XXE (XML External Entity) attacks, where a malicious manifest declares an external entity that reads server files or triggers SSRF. So Scholr’s manifest parser disables DTDs and external entities outright before parsing a byte:
DocumentBuilderFactory dbf = DocumentBuilderFactory.newInstance();
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); // refuse DTDs
dbf.setFeature("http://xml.org/sax/features/external-general-entities", false); // no XXE
dbf.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// ...then, and only then, parse the untrusted manifestOnce imported, the content is launched — and now the war story. SCORM content tracks itself through a JavaScript runtime API: the package, running in the browser, finds a well-known API object (provided by the LMS) and calls it to report status — cmi.core.lesson_status = "completed", a score, a commit. The catch is that the package and your LMS are different origins running in the same page, and the handshake between them is exactly where things break. Scholr’s bug was that the SCORM content was launched in an iframe, called its runtime API to report completion, and that completion was lost because the runtime adapter wasn’t reliably bridging the call back to a durable server-side record. The package was happy; the server never heard.
The fix has two halves. In the browser, the LMS must expose the SCORM API object where the package’s discovery algorithm actually looks for it (walking up the iframe parent chain), so the package can find it at all. And on the server, the commit the runtime makes must land in a reliable, idempotent endpoint — because a flaky runtime may commit twice, or retry, or fire on unload. Scholr models that server-side capture so a duplicate commit can’t double-record and a completion, once it arrives, is durable:
public Optional<XapiStatement> commitScormCompletion(UUID learner, UUID pkg, String lessonStatus, Integer score) {
if (!isCompletion(lessonStatus)) return Optional.empty(); // "incomplete" → nothing durable yet
// a STABLE id derived from (tenant, learner, package) → a doubled commit dedupes in the LRS
UUID id = UUID.nameUUIDFromBytes((tenant + ":" + learner + ":" + pkg).getBytes());
XapiStatement statement = new XapiStatement(id, tenant, learner, "completed", pkg, score);
lrs.record(statement); // idempotent store
return Optional.of(statement);
}The same idempotency discipline that protected enrollment, exam submission, events, and payments now protects a SCORM completion. Once the runtime’s commit reaches the server, the completion is captured exactly once and survives — and the compliance report turns green.
A subtlety many teams hit: SCORM 1.2 versus SCORM 2004. They differ in their data model and especially in sequencing (2004 adds a complex navigation-and-sequencing model 1.2 lacks), and in how completion and success are reported (1.2 conflates them in lesson_status; 2004 separates completion_status from success_status). A robust importer detects the version from the manifest and adapts, rather than assuming one — which is why Scholr’s parser reads the schemaversion and records it on the package.
xAPI and cmi5: your event stream is your LRS feed
xAPI is the modern answer to SCORM’s limitations. Where SCORM tracks a learner inside a single packaged course, xAPI captures any learning experience as a statement — actor, verb, object: “Maria completed Fire Safety,” “Jon experienced the simulation,” “Aisha scored 92 on the assessment” — and ships those statements to a Learning Record Store, a purpose-built system institutions use to aggregate learning across every tool they own. Supporting xAPI is what lets Scholr’s data flow into a customer’s broader analytics.
And here is the elegant part, the one that ties this part back to Part 5: you have already built the hard part. An xAPI statement is just a learning event in a standard shape, and Scholr already emits reliable domain events through its transactional outbox. So feeding an LRS is not a second instrumentation effort — it is a translation at the boundary. Scholr maps the internal events it already produces into xAPI statements:
public Optional<XapiStatement> toStatement(OutboxEvent event) {
return switch (event.type()) {
case "enrollment.created" -> Optional.of(statement(event, "registered", null));
case "lesson.completed" -> Optional.of(statement(event, "completed", null));
default -> Optional.empty(); // no xAPI verb for this event — don't fabricate one
};
}The translator is a pure function, so the mapping is trivially testable and replay-safe, and the LRS dedupes on statement id. cmi5 is worth a mention as the bridge between the two worlds: it is a profile that runs xAPI inside a SCORM-like packaging and launch model, giving you SCORM’s “launch a package” ergonomics with xAPI’s rich tracking — the migration path off SCORM for content authors who want both.
One capability xAPI has that SCORM structurally cannot is offline and disconnected tracking. Because a statement is a self-contained record rather than a live call into an LMS runtime, a mobile app or a piece of field-training equipment can queue statements while offline and flush them to the LRS when connectivity returns — learning that happened on a factory floor or a remote site is captured, not lost. This is why xAPI matters well beyond replacing SCORM: it models learning experiences that never touch a browser-based course at all, which is increasingly where workplace learning actually happens. The trade-off is that an LRS becomes another datastore to operate and secure — and, like the search index in Part 6, one with no Postgres Row-Level Security, so statements carry their tenant id and every read filters on it by hand.
| Concern | SCORM | xAPI |
|---|---|---|
| What it can track | Inside one packaged course | Any experience, anywhere |
| Where data lands | The LMS that launched it | A Learning Record Store |
| Connectivity | Needs the browser runtime, live | Statements can be queued/offline |
| Best for | Legacy content you must support | Modern, cross-tool analytics |
Authoring and content import: where courses come from
Interop is about content that arrives from elsewhere; authoring is about content created in Scholr, and the two meet in the content model. A modern authoring experience is block-based — a course is a tree of typed blocks (text, video from Part 3, quiz from Part 4, embed) that an instructor composes visually — which keeps content structured and queryable rather than trapped in opaque HTML. The discipline that matters most here is draft/publish versioning: an instructor edits a draft while learners keep seeing the last published version, then publishes atomically, exactly the safe-rollout instinct the rest of the series applies to schema and search indexes. Learners should never watch a course mutate under them mid-lesson, and an author should never fear that a typo fix is instantly live and unreviewed.
There’s also a build-versus-buy choice for the authoring tool itself. You can build a native block editor, embed a third-party authoring SDK, or simply accept that authors will use a dedicated tool (Articulate, Rise) and import the SCORM/xAPI output. Most platforms blend these, and the right mix depends on how central authoring is to your product.
| Authoring approach | Best for | Cost |
|---|---|---|
| Native block editor | Authoring is core; you want structured, queryable content | High build cost; full control |
| Embed an authoring SDK | Rich editing fast, without building it | Vendor dependency; integration work |
| Import-only (external tools) | Authors already use Articulate/Rise | Lowest build; relies on SCORM/xAPI import |
Content import and migration is the other on-ramp: importing SCORM and Common Cartridge packages, and migrating wholesale from another LMS. This is unglamorous, high-value work — the deciding factor in many institutional sales is “can you bring our existing courses across?” — and it is precisely where the safe-handling and reliable-capture disciplines above pay off, because imported content is, by definition, content you did not author and cannot fully trust. The hard parts are rarely the format conversion; they are fidelity (does an imported quiz still grade the same?) and scale (a migration is a bulk pipeline, not a one-off upload), and both reward treating import as a first-class, observable process rather than a button.
Security of embedded content: never trust the package
Every interop feature in this part shares one risk: you are running, or bridging to, code you did not write. A SCORM package is arbitrary third-party HTML and JavaScript; an LTI launch comes from outside; an imported course could be hostile. The non-negotiable defenses follow directly. Sandbox embedded packages in an iframe with a restrictive sandbox attribute and a strong Content-Security-Policy, ideally served from a separate origin so a malicious package can’t reach your app’s cookies or DOM. Harden every parser against XXE and injection, as the manifest parser does. Validate every launch cryptographically before trusting a claim. The thread is one sentence, and it is the same failure-design discipline the production engineering playbook applies to any untrusted input: treat all third-party content and every inbound launch as hostile until proven otherwise, and contain it so that even if it is hostile, it can’t reach anything that matters.
| Threat | Vector | Defense |
|---|---|---|
| XXE / SSRF | Malicious SCORM imsmanifest.xml |
Disable DTDs & external entities before parsing |
| Package XSS / token theft | Hostile JS in a SCORM package | Sandboxed iframe + CSP + separate origin |
| Forged LTI launch | Unsigned/unverified launch token | Verify the signature (JWKS) before any claim |
| Replayed launch | A captured valid token reused | Check expiry and nonce |
The war story, resolved — and what we’d do differently
Scholr’s compliance-report disaster was a SCORM runtime handshake that silently dropped completions: the package reported “completed” to its embedded API, but the call never reached a durable server record, so the LMS believed almost no one had finished a course almost everyone had. The fix was twofold — expose the SCORM API where the package’s discovery algorithm actually looks for it across the iframe boundary, and make the server-side commit reliable and idempotent so that once a completion arrives it is captured exactly once and cannot be lost. After it shipped, completions registered the moment learners finished, and the compliance report finally matched reality.
What would we do differently? We would have treated interop as a reliability problem from the start, not a feature checkbox — the SCORM handshake, the LTI launch, the xAPI feed all have the same failure modes (dropped, duplicated, forged) the rest of the platform already had patterns for, and applying those patterns up front would have prevented the bug. We would have built the xAPI feed as a translation of our existing event stream from day one rather than contemplating separate instrumentation, because the stream was already there. And we would have sandboxed and hardened third-party content before importing a single package, because “we’ll secure it later” is how an LMS becomes the delivery vehicle for someone else’s XSS. The thread, one last time for this series of integrations: treat what you didn’t author as hostile, make every boundary verifiable, and make every capture idempotent.
A word on testing, because interop is uniquely hard to verify and uniquely costly to get wrong in front of a customer. The standards have certification suites (IMS Global’s for LTI, conformance tests for xAPI) you can run against, and you should — passing them is often a literal procurement requirement. But conformance is necessary, not sufficient: real platforms interpret the specs with quirks, so the only way to be confident is to test launches against the actual LMSs your customers use (Canvas, Moodle, Blackboard) and to import the actual packages they hand you. The reference code in this part takes the testable core — signature verification, expiry, XXE rejection, idempotent capture, the event-to-statement mapping — and proves it deterministically in the build, which is the right foundation; the integration testing against real platforms layers on top of that, not instead of it.
Get the code and run it
Everything above is in the companion repository, evolving the same codebase the series has built since Part 1. Each part has its own branch frozen at that lesson’s checkpoint, and main always holds the latest cumulative code.
# this part's exact code:
git clone https://github.com/muasif80/tutorial-lms-platform.git
cd tutorial-lms-platform
git checkout part-8
# the latest cumulative build is always on main:
git checkout mainVerify it the way the build does — xAPI translation into a tenant-isolated LRS, LTI launch validation (and rejection of tampered/expired launches), AGS grade passback, XXE-safe SCORM parsing, and reliable idempotent completion capture all run under one command:
mvn verify # green = LTI validation + SCORM safety/capture + xAPI translation all holdWhere each idea in this article lives in the code:
- xAPI: your event stream as an LRS feed —
interop/XapiTranslator.java+ theLearningRecordStoreport (InMemoryLrs.java). - LTI 1.3 launch validation —
interop/LtiLaunchValidator.java(verify-then-trust, expiry check). - AGS grade passback —
interop/LtiPlatform.java+InteropService.passbackGrade. - XXE-hardened SCORM manifest parsing —
interop/ScormManifestParser.java. - Reliable, idempotent SCORM completion capture —
InteropService.commitScormCompletion. - The proof —
InteropTest.javaasserts launch validation, tampered/expired rejection, grade passback, XXE rejection, and idempotent completion.
Frequently asked questions
LTI, SCORM, or xAPI — which do I need?
Most likely all three, because they solve different problems. Use LTI 1.3 to integrate as a live tool inside an institution’s LMS, with single sign-on and grade passback. Support SCORM to import and run the large body of existing packaged course content buyers won’t re-author. Emit xAPI statements to a Learning Record Store for modern, cross-tool analytics. A practical order: LTI first if you’re selling into institutions that will launch you, SCORM if buyers have legacy content, and xAPI to feed analytics — and note that since you already emit domain events, xAPI is mostly a translation, not new instrumentation.
How do I import and launch SCORM packages?
Read the package’s imsmanifest.xml to get the title and the launch file, parsing it with a hardened XML parser that disables DTDs and external entities (SCORM packages are untrusted input and a naive parser is vulnerable to XXE). Launch the content in a sandboxed iframe, expose the SCORM JavaScript runtime API where the package’s discovery algorithm looks for it, and — critically — make the server-side endpoint that records the runtime’s completion commit reliable and idempotent, so a completion is captured exactly once and never silently dropped across the iframe boundary.
How does xAPI relate to my event pipeline and LRS?
An xAPI statement is a learning event in a standard actor–verb–object shape, so if you already have a reliable internal event stream (a transactional outbox feeding domain events), feeding a Learning Record Store is a translation at the boundary rather than a second instrumentation effort. Map each internal event to an xAPI statement and ship it to the LRS; keep the translator a pure function and dedupe on statement id so replays and retries are safe. Your event stream effectively becomes your LRS feed.
How do I safely embed third-party (SCORM or LTI) content?
Treat all third-party content and every inbound launch as hostile until proven otherwise. Run embedded packages in a sandboxed iframe with a restrictive Content-Security-Policy, ideally on a separate origin so the package can’t reach your app’s cookies or DOM. Harden every parser against XXE and injection. Verify every LTI launch’s signature against the platform’s keys before trusting any claim, and check its expiry and nonce to block replays. Contain the content so that even if it is malicious, it cannot reach anything that matters.
Conclusion
Interoperability is what turns an LMS from a product into a citizen of an ecosystem institutions already run. We supported LTI 1.3 with verifiable launches and grade passback so Scholr can plug into an institution’s LMS; handled SCORM by parsing untrusted manifests safely and capturing completions reliably and idempotently so the compliance report tells the truth; fed xAPI by translating the event stream we already had into statements for a Learning Record Store; and contained every piece of third-party content behind sandboxing, hardened parsers, and verified launches. Scholr’s silently-dropped-completion disaster — and the broader risk of running code you didn’t write — is now designed out, and the door to the institutional market is open.
The full, tested implementation — the LTI validator, the XXE-safe SCORM parser, the idempotent completion capture, and the xAPI translator, all verified by a build that proves them — is on the part-8 branch of the companion repository. ⭐ Star it to follow the build. Next, in Part 9, we turn to the layer learners actually touch: the frontend, accessibility, and internationalization — building an experience that works for everyone, on every device, in every language.
Leave a Reply