Launch + idtoken-based SSO
Make sure you've read about authenticating API requests before proceeding to the guide below.
The ID Token endpoint only accepts the ltik based authentication method.
When a user clicks your LTI® tool inside an LMS, their browser will eventually arrive at your application. By the time they land on your page, you need them logged in to your own application's authentication system — LTIAAS does not run that authentication for you. What LTIAAS does is verify the LMS's signed claims about the user and hand them to you in a developer-friendly format called the ID Token. Your application then uses the trusted identity contained in the ID Token to either log the user into an existing account in your tool or provision a new one on the spot.
This guide walks through the full end-to-end flow, from the moment a user clicks the tool link inside the LMS to the moment they're logged into your application. It also shows concrete patterns for the most common authentication setups your application might already be using: a server-side session cookie, a short-lived JWT for a single-page application, and identity providers like Auth0, Cognito, Firebase Auth, and NextAuth.js.
User clicks your tool's link in the LMS
Step 1 of 6A student or teacher opens an assignment, module item, or course page in the LMS and clicks the link that points at your tool. Behind the scenes, the LMS POSTs an OIDC login initiation request to your LTIAAS subdomain — not directly to your application.
LMS ──POST──▶ https://your.ltiaas.com/lti/login
The user doesn't see this happen. It takes place inside the LMS's iframe, and your application is not yet involved in any way. At this stage, the LMS is simply telling LTIAAS "a user from my system wants to launch your tool, here is who they are and which activity they're launching from."
What's next
- Deep Linking flow — allow teachers to pick specific content from your tool and embed it into an LMS assignment.
- Grade Passback flow — send a user's score back to the LMS gradebook after they complete an activity.
- Names & Roles flow — retrieve the full class roster for the LMS context the user just launched from.
