ACCESS API

Overview
Exploring with Postman
Common to all API Calls
Log In, Security JWT
Student Match
Student Assign State-ID
Student Get Application Data
Student Get Transcript PDF
Student Send Transcript to College
Get State-IDs for Administrator
Manage Notice Emails
Get API Activity Log
List Private Schools
Dashboard: Students Information
Dashboard: Due for Graduation Summary by District LEA
Dashboard: Due for Graduation for District LEA

Account Management

Forgot Password
Sign Up
Invite a Friend

Account Owners

Permissions
Messages

Arkansas Civics Test

Student - Registration
Student - Taking Test
Test - Accommodations
Exam - Rostering
Transcript - Met Civics
Viewing Reports

Community Service Learning

Overview
Data Entry
Data File - Download
Data File - Upload

Data Services Agreements

Overview

Online Testing

Test - Accommodations

Private Schools

Managing TIDE DTCs
File Upload Specification
DTC User Instructions

Home Schools

Managing TIDE DTCs
File Upload Specification
DTC User Instructions

Smart Core

Student View
Teachers

Student Transcripts

Searching
Sections
Training Mode
Immunizations
State IDs
Copy student immunization records
Copy Course History
Send a Transcript to a College
Smart Core Reports for Students
View Student Records and Request Transcripts
Copy student immunization records
Copy Course History
Send a Transcript to a College
Smart Core Reports for Students
View Student Records and Request Transcripts

Advanced Searching

Students
Staff
Schedules
Tests
Users

OneRoster API

Overview
Sample District
Best Practices
Data Dictionary

Student Data API

Overview
Getting Started
Authentication
Login Endpoint
Search Students
Get Sections by State IDs
Search Staff Catalog
Search Schedules
Error Handling
Rate Limits and Quotas

Authentication

The Student Data API uses a two-layer authentication model. Both credentials must be included in every data request.

API Key (x-api-key)

The API key identifies your vendor account and enforces rate limits. Include it as a request header:

x-api-key: sk_live_abc123def456...

The API key is not a secret for authorization — it controls throttling and usage tracking. However, keep it confidential to prevent others from consuming your rate limit quota. The API key is required on all requests, including the login endpoint.

Bearer Token (Authorization)

The Bearer token is a Permission JWT (PJWT) that defines your authorized data access scope — which districts and schools you can query. Include it as a standard Bearer token:

Authorization: Bearer eyJhbGciOiJIUzUxMiI...

Vendors obtain a PJWT by calling the Login Endpoint (POST /v1/login) with their Triand account email and password. The token is valid for 24 hours and must be refreshed by calling login again.

The PJWT encodes:

  • Your vendor identity
  • Authorized district IDs
  • Authorized school IDs
  • Permission flags

You cannot modify the PJWT to expand your access scope. If you need access to additional districts or schools, contact your administrator.

Authentication Flow

  1. Call POST /v1/login with your email, password, and x-api-key to receive a PJWT
  2. Cache the PJWT token (valid for 24 hours)
  3. Include both x-api-key and Authorization: Bearer {pjwt} on all data requests
  4. When the token expires (401 response), call login again to get a fresh token

Example Request

POST https://api.triand.com/v1/students
Content-Type: application/json
x-api-key: sk_live_abc123def456...
Authorization: Bearer eyJhbGciOiJIUzUxMiI...

{
  "limit": 25,
  "districtlea": "1503000"
}

Authentication Errors

If authentication fails, the API returns one of these responses:

StatusError CodeCause
403ForbiddenMissing or invalid x-api-key
401unauthorizedMissing Authorization header
401invalid-tokenMalformed or expired PJWT token
403no-privilegeToken valid but lacks permission for the requested data

Token Rotation

If your API key is compromised, contact your administrator to rotate it. A new key will be issued and the old one deactivated. Your Bearer token (PJWT) will be regenerated if your access scope changes — simply call login again to get the updated token.