Coursera for Business: API onboarding document

Welcome to the guide for using the Coursera for Business API. This document will lay out the
key details you need to access your API, how to set up access, the libraries and requests you
can use, and some FAQs.

Key API Details

Type Value

Coursera Account Email sa+tusimple@coursera.org

Coursera Password F-puM765Ee2yMw5aWjL29w

Client_secret Available within org console

Client ID y0LScSEQuMjIsq2Ov8LAlA

Org API URL https://accounts.coursera.org/console/org/sR

MBzd2zJcGH6455TBBpDg/app/y0LScSEQu
MjIsq2Ov8LAlA

Org ID c37xwraOSFytEjHm5uQEEA

Program ID (Optional) L5Vab6GGEe22BhJjP5ulfQ

How to use the Coursera for Business API

Step No 1. Setup the OAuth client and provide the necessary credentials.
To access the OAuth credentials, please log into coursera.org with the Coursera account email
and password listed above (this is your service account), then visit the App Console.

This new Coursera account is created specifically for the API client and is authorized to access
organization information about the API.

After logging in, please navigate to your app page, where the OAuth client_id & client_secret
are displayed.
 ● Note them down as you will need these credentials later.
● The redirect URL can be adjusted if necessary.

The scope to be used is "access_business_api", which is not displayed on the page, but access
to the scope has been granted to the app.

To access program data, you will need your org_id, which is listed in the table at the top.

Step No 2. Getting initial code

The first time you access the API, you’ll need to get code through the browser, which can be
achieved in the following way:

1. Login to https://www.coursera.org using your Coursera API account

(sa+tusimple@coursera.org)
2. Visit this URL on browser (Replace the clientId in the URL)
https://accounts.coursera.org/oauth2/v1/auth?scope=view_profile+access_business_api
&redirect_uri=http://localhost:9876/callback&access_type=offline&grant_type=authorizati
on_code&response_type=code&client_id=y0LScSEQuMjIsq2Ov8LAlA
3. If asked, select Accept on the browser prompt with the message "API client is
requesting the following access to your Coursera account"
4. In the browser, there will have been a redirect to a URL like
http://localhost:9876/callback?code=<code>

● This code is what you can use to get your tokens.

● Note this down as you will need to use it later

Step No 3. Getting access and refresh token

This step can be automated, and you can find implementation in the python library. Alternatively,
you can download this postman library to make the requests.
● Be careful as you can only use your code one time.

1. Use any HTTP client to send a POST request to

https://accounts.coursera.org/oauth2/v1/token with form_body as below:
redirect_uri:http://localhost:9876/callback
client_id:y0LScSEQuMjIsq2Ov8LAlA
client_secret:<client_secret>
Access_type:offline
Grant_type:authorization_code
code: <code(From previous step, No 2)>
 2. The JSON response from server will look like the below:
{
"access_token":<access_token>,
"token_type": "Bearer",
"expires_in": 1800,
"refresh_token": <refresh_token>
}

On this step you will receive two keys:

access_token
● The access_token will expire in 1800 seconds.
● You can get a new access_token with the refresh token you received (see step No 3).
● Every time when you requested a new access token it also prolongs the refrest_token
life (for two weeks.)
refresh_token
● The refresh_token will expire in two weeks.
● For the new refresh token, repeat step No 1.
Step No 4. Getting a new access_token with refresh_token
You should get a new access_token for new requests every 30min.
It’s important to also prolong the refresh_token lifetime by this action.

1. Use any HttpClient to send a POST to:

https://accounts.coursera.org/oauth2/v1/token with form_body as below:
Grant_type:refresh_token,
refresh_token:<refresh_token>,
client_id:y0LScSEQuMjIsq2Ov8LAlA
client_secret:<client_secret>

2. The response will have a new access_token and will look like below
{
"access_token": <access_token(NEW)>,
"token_type": "Bearer",
"expires_in": 1800
}

Step No 5. Test API Access with Token

You can test that the token is valid by the request:
curl -H "Authorization: Bearer <access_token>"
https://api.coursera.org/api/businesses.v1/c37xwraOSFytEjHm5uQEEA/programs
You should now be able to access the APIs.

Explanation of parameters

1. Code from step #2:

a. This is a one time use parameter, which means you use it to get only one pair of
access and refresh tokens.
If you need to generate a new pair, please follow the above procedures for
getting a token from the beginning.
b. Expiration time of this parameter is 5 minutes.
c. If on step 4 you make a mistake or type and therefore get an error message in
response, please begin the procedure of getting tokens from the beginning
(generate a new pair of access and refresh tokens).
2. Access_token:
a. This parameter is used in each API request like a “key” to the Coursera data.
b. The expiration time is 30 minutes.
c. After expiration it can be regenerated by <refresh_token>.
3. Refresh_token:
a. This parameter is used to regenerate the access_token
b. Expiration time is 14 days.
If during these two weeks you use it to regenerate an access_token, the
expiration time will be prolonged by another two weeks from when you used it.
c. If, nevertheless, expiration could not be avoided, you should make all the
procedures of getting tokens from the beginning(generate a new pair of access
and refresh tokens).

Available Libraries
We have resources in Python and PHP to help with your development. The links below will
hopefully serve as useful examples regardless of what language you plan to develop in.

Python client
Coursera has released a python library for accessing Coursera APIs that are behind OAuth 2.0.
You can follow the instructions to install and setup the client. During the setup process, you
need to log in using the "sa+suncor@coursera.org" account. The script will download the
access and refresh tokens, and it will save them in a local file. After that when you make API
requests using the library, the tokens will be read from the file and be used to authenticate the
client.

PHP client
We do not have a PHP library to make Coursera specific calls, but there are open source PHP
clients for OAuth 2.0. For example, this PHP OAuth wrapper is quite easy to use. Linked below,
you can find two PHP files, which use that library to access the Coursera API. The first file,
setup.php, handles the OAuth2 handshake and downloads the access tokens. The second file,
programs.php, uses the saved tokens to make API requests.

Common Requests
The following postman collection contains many common requests you will want to make to the
Coursera API.

Troubleshooting

Where can I find my client_ID and client_secret?

The first place you should look is within the onboarding documentation provided by your
implementation manager. If any parameters are missing from the documentation you should:
1. Login with your service account at https://coursera.org
2. Navigate to https://accounts.coursera.org/console
3. Click on your organization
4. Now you can see your client_id and client_secret

I receive message {"message":"Missing parameter: ar","statusCode":400}

when request code
Please check the url you used to request the code; it is likely there is white space in there
somewhere.
Example of wrong request:
https://accounts.coursera.org/oauth2/v1/auth?scope=view_profile+access_business_api&redire
ct_uri=http://localhost:9876/callback&access_type=offline&grant_type=authorization_code&resp
onse_type=code &client_id=your_client_id
When I try to get a code I receive the error: "invalid_request"
This error means that you made a mistake in params of URL from the step #2 (in generate
tokens instruction)
● Check if you forgot to input all necessary parameters
● Check if there are any white spaces before or after each parameters, especially
client_id

When I send the request from the step 4 I receive an error: "Invalid Code"
It is likely to be one of this reasons:
1. You tried to use a code for the second time
2. There is space before or after the code
3. There is a typo within one of the parameters in the request

The Code expires too quickly, can we extend it?

Unfortunately expiration time is a constant value and cannot be changed.
Default time for the access token is 30min.

After some time I send a request and get the error: "Not Authorized"
This means your access token is expired and you need to regenerate it by next request :
curl --location --request POST
'https://accounts.coursera.org/oauth2/v1/token' \
--data-urlencode 'grant_type=refresh_token' \
--data-urlencode 'client_id=<client_id>' \
--data-urlencode 'client_secret=<client_secret>' \
--data-urlencode 'refresh_token=<refresh_token>'

When I send a request with unexpired access_token but get an error : "Not
Authorized"
It means when you received the code in step 2 you were logged into a personal account (eg
user@company.com) and not in your service account, which will be something like:
(sa+client_name@coursera.org).
General information
OAuth2 is a protocol designed to let third-party applications authenticate to perform actions as a
user, without getting the user's password. Coursera uses OAuth2 (specificallyRFC-6749) for
authentication and authorization of Coursera API.
Coursera only supports Authorization Code Flow grant which means you will be required to
login using a Coursera account during the Authorization request.
Performing the OAuth2 token request flow requires the following items that will be provided by
Coursera:
● Coursera account
● Your client_id
● Your client_secret(the client secret should never be shared)
FAQs
Below you can find answers to the most common issues you’ll face and questions you’ll have while
using the Coursera Enterprise APIs.

1. What errors come from Coursera API in response?

ErrorCode HTTP code Message Description Refresh token

status

- 400 Invalid_client-rate limit You tried to get access The refresh

token too many times. You token is still
need to wait for 15-20 min. valid.

- 400 invalid_code Your refresh token is The refresh

expired or wrong. token is not
valid.

INVALID_EMAIL 400 Invalid email address You used the email with The refresh
you@mail invalid format. token is still valid

auth.perms 403 User You try to get info using an Need to

UserId(35027045) not access token created for generate a token
allowed to access another organization. for valid user.
information about
business
V3_1ZcnAR4CqQeO7y
R8kUA.

auth.perms 401 Missing authentication You need to update the Access token
access token. should be
updated.

DUPLICATE_EX 400 ExternalID You try to invite the same The refresh
TERNAL_ID 413861904646 already user with the same id but token is still
in use in roster with a different email valid.
uX6uZKfbS0iyIKcY160 address.
uGw

INVITATION_AL 400 An active invitation You try to invite the same The refresh
READY_EXISTS already exists for user with the same email token is still
jdoe@domain.com in address and id. valid.
program
_4R9y4T_EeiCTg7Px
GqkyA
MEMBERSHIP_ 400 A valid membership You try to invite a user that The refresh
ALREADY_EXIS already exists for id is already a member in the token is still
TS 45602592~uX6uZKfbS program. valid.
0iyIKcY160uGw, email
u@m

- 504 Request timed out. You used wrong limits. The refresh
Request: FINDER token is still
/api/enterpriseCourseE valid.
nrollmentReports.v1
finder: byProgram,
args: Map(id ->
7KDXEJQUEeeqWw7v
8NDIpg), limit:
Some(1000), start:
Some(43000)

None 500 None Uknown. Repeat your The refresh

request after 1-3min. token is still
valid.

2. Where can I get the Postman collection for business API?

There is a collection with all requests for Coursera for Business. Please keep in mind
to generate your own access token or code before using this
collection(https://www.getpostman.com/collections/a01def0c9a6073abdade)
3. When is someone classed as a ‘member’?
A user becomes a member when they accept a program invitation and joins the
program.
4. Are courseIDs(contentIDs) the same for all organisations(clients)?
● Yes, these values will be the same for all clients.
● Note that programIDs will always be unique.
5. I’m getting “message: “User UserId(some_id) not allowed to access information about
business some_org_id.“, what should I do?
Based on our experience, there are a few possible cases with this error:

a. Be sure that you are not logged into a personal account on Coursera, even in a
different tab. It may be easier to use incognito mode.
b. We recommend to use https://accounts.coursera.org/console instead of
https://www.coursera.org/ to get the key.
c. You may be sending uppercase names for parameters: “Client_id” & “Client_secret”.
Make sure to use lower case: “client_id” & “client_secret”.
d. There is a space between or after the parameters.
 e. You have the wrong value for a parameter eg “Org_id”.

6. How many users can I invite using a multiple invite request?

You can invite 200 users per attempt.
7. How many courses can I get per API call?
You can get 1000 courses per call.
8. How many members/users can I get per API call?
You can get 1000 users per call.
9. Will a course link within a program change?
No, it will follow the same consistent structure:

https://www.coursera.org/programs/your_program_id?productId=your_course_id&pro
ductType=course&showMiniModal=true

10. What is the Redirect URL?

This is the url that will be used to redirect the response from Coursera. You will be able
to get the authorization code from this url, which can be used to get refresh and access
tokens for the first time. It can also be used for automatic response processing and
further requests for the pair of tokens.

11. What should I add for SSO deep-link?

To activate an SSO deep-link you need to add a parameter
&attemptSSOLogin=true at the end of the link. E.g.:
https://www.coursera.org/programs/program_slug?productId=your_course_id&produ
ctType=course&showMiniModal=true&attemptSSOLogin=true