Update: The Output of Project Tin Can is Experience API.

next generation scorm evolution project tin can
 

Ready to really dive in?
View the full
Tin Can API spec.

View the Tin Can API
“quick start” guide.


We Need Security/Authentication

scorm project tin can security oathIt’s pretty well-known that older e-learning specs lack robust security. LETSI RTWS offers a solution for security, and it’s a good start.

The Tin Can API builds on RTWS’s approach. It’s similar to the way that RTWS authenticates, but it’s more flexible. In the Tin Can API, authentication is tied to the user, not the content. The user can be any person or thing that is asserting the statement. The user can be a learner, an instructor, or a even a software agent — and it can authenticate with OAuth.

With the Tin Can API, content can be secured and e-learning can be used for higher-stakes training.

See the comments below to see how we got to where we are today regarding security in the Tin Can API, and share your thoughts on how we’ve implemented it so far.

SCORM 2.0 next generation project tin can

Did we achieve what you wanted with this feature?


  • Jon Apgar

    Security and cheating are totally different problems.

    Security can be solved largely using authentication.

    Cheating is different though. You simply cannot trust a user to report their own score, which makes offline course advancement a non-starter.

    Can you imagine World of Warcraft allowing users to level-up offline and report their new achievements when they log back in? You have no way of verifying that the player actually did any of that.

  • Anonymous

    We do provide a means to self-report results, but the LRS does not have to trust those reports, and shouldn’t for anything important.

    Storing credentials on a user’s computer without allowing them access to said credentials is a hard, some would say unsolvable problem. There will probably always be tests for which the stakes are to high to try.

    What the TinCan API allows is for training providers to attempt to solve that problem, rather than being limited to an API that can only authenticate via a session cookie.