Studeia public API: overview

Studeia public API: 166 documented REST methods (33 groups), 35 granular scopes, dual auth (session or Bearer key) on most routes, Redis rate limiting (3 tiers), CORS. Docs at /docs/api

2026-05-31 5 min

Resposta curta

Studeia public API has 166 documented REST methods grouped in 33 categories (courses, users, enrollments, classes, media, gradebook, question-banks, live-classes, LTI, automations, reports, gamification, etc). Most resource routes accept dual auth — session or Bearer API key with 35 granular scopes; routes that manage credentials, OAuth, billing, SSO, video/avatar and domain verification are session-only. Redis rate limiting (3 tiers), CORS enabled.

Endpoint pattern

https://[tenant].studeia.com/api/institution/[resource]

Authentication — dual auth

Most /api/institution/* routes accept 2 modes. Routes that manage credentials, OAuth, billing, SSO, video/avatar providers and domain verification are session-only for security (they do not accept API keys):

Bearer API key

GET /api/institution/courses
Authorization: Bearer mia_abc123...

Session cookie

GET /api/institution/courses
Cookie: sb-access-token=...

Scopes (granular)

Each resource route declares requiredScopes; the API key needs the corresponding scopes. The backend recognizes 35 scopes total.

Common: courses:read|write, users:read|write, enrollments:read|write, classes:read|write, media:read|write, grades:read|write, question-banks:read|write, live-classes:read|write, lti:read|write, drive:read|write, automations:read|write, gamification:read|write, reports:read.

API key with empty scopes ([]) = total access (admin keys).

Rate limiting

Tier	Req/hour	Burst/min
standard	1,000	100
high	5,000	300
custom	configurable	custom/60

Headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. Exceeded: 429 with Retry-After.

Response pattern

Success:

{
  "data": [...],
  "pagination": { "page": 1, "perPage": 50, "total": 247 }
}

Error:

{
  "error": "validation_failed",
  "details": [{ "field": "email", "message": "Invalid format" }]
}

i18n

Errors localized via header Accept-Language: en-US (or pt-BR, es-ES, fr-FR).

Quickstart

# List courses
curl https://[tenant].studeia.com/api/institution/courses \
  -H "Authorization: Bearer mia_abc123..." \
  -H "Accept-Language: en-US"

See also

FAQ

How do I create an API key?

As institution_admin: /institution/settings > API Keys > Create. Configure name, scopes (granular: courses:read, users:write, etc), rate limit tier (standard 1000/h, high 5000/h, custom). The full key (format mia_ + 40 hex) is shown ONCE after creation. Only SHA-256 hash stays in DB.

Is rate limit per user or per key?

Per API key. Each key has its own rate limit tier. Response headers: X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset. Rate exceeded: HTTP 429 with Retry-After header.

Can I create user via API?

Yes. POST /api/institution/users with users:write scope. Body: { name, email, role, classGroupIds?, sendInvite? }. Respects plan student limit (checkTenantResourceLimit fail-closed).

Are there webhooks to receive events?

Yes, via Automations. Create automation with event trigger (lesson_completed, quiz_submitted, etc) + send_webhook action to your URL. Template interpolation supported.

Veja tambem

Automations

Studeia public API: overview