Tag: PowerSchool

Posted on

PowerSchool API Postman Collection

PowerSchool API Postman Collection, feel free to copy to fork it

Overview

This collection provides a complete, production-ready setup for working with PowerSchool APIs. It implements automatic OAuth authentication with token validation, eliminating manual token management and enabling seamless multi-environment workflows.

Key Features

πŸ” Automatic Authentication

  • Zero Manual Token Management: Tokens are obtained and validated automatically before every request
  • Smart Token Validation: Validates tokens against the PowerSchool metadata endpoint (/ws/v1/metadata)
  • Auto-Refresh on Expiry: Automatically refreshes expired or invalid tokens
  • Bearer Token Headers: All requests automatically include properly formatted Authorization: Bearer {{psAuthToken}} headers

🌍 Multi-Environment Support

  • Different PowerSchool Instances: Easily switch between multiple PowerSchool servers (Development, Staging, Production)
  • Credential Isolation: Each environment has its own psURL, psClientID, and psClientSecret
  • Shared Token Storage: psAuthToken stored at collection level, shared across all environments
  • One-Click Switching: Select different environments from Postman dropdown

βœ… Token Validation

  • Metadata Endpoint Check: Validates token by calling /ws/v1/metadata
  • Plugin ID Detection: Confirms token validity by checking for plugin_id in response
  • Automatic Recovery: If token is invalid, automatically obtains a new one
  • Error Prevention: Detects authentication issues before they cause request failures

πŸ“‹ Complete Request Examples

  • PowerSchool OAuth Request: Direct OAuth endpoint for manual token retrieval
  • Get Metadata (with token): Example of authenticated request
  • Get Metadata (without token): Shows public metadata access
  • Get Students By District: Production-ready example with auto-auth

How It Works

Request Flow

When you click Send on any request:

1. Collection Pre-request Script Runs
   ↓
2. Check: Does psAuthToken exist?
   β”œβ”€ NO  β†’ Obtain new token via OAuth
   β”œβ”€ YES β†’ Validate token via /ws/v1/metadata
   β”‚        β”œβ”€ Valid (has plugin_id) β†’ Proceed
   β”‚        └─ Invalid (no plugin_id) β†’ Get new token
   ↓
3. Token stored in psAuthToken (collection variable)
   ↓
4. Request executes with Authorization: Bearer {{psAuthToken}}
   ↓
5. Response received

Token Validation Logic

Valid Token Response:

{
    "metadata": {
        "plugin_id": 15334,
        "powerschool_version": "25.7.0.1.252121950",
        ...
    }
}

Invalid Token Response:

{
    "metadata": {
        "district_timezone": "Asia/Riyadh",
        ...
        (NO plugin_id field)
    }
}

The script detects missing plugin_id and automatically refreshes the token.

Setup Instructions

1. Create Environments

For each PowerSchool instance, create an environment with:

VariableValue
psURLhttps://your-powerschool-domain.com
psClientIDYour OAuth client ID
psClientSecretYour OAuth client secret

2. Collection Variables

The collection already includes:

  • psAuthToken – Auto-populated by OAuth script (do not edit)

3. Select Environment

Before making requests, select your environment from the Postman dropdown (top-right).

4. Make Requests

Click Send on any request. The collection pre-request script handles all authentication automatically.

Collection Structure

PowerSchool API Postman Collection
β”œβ”€β”€ Authentication (Collection-level Pre-request Script)
β”‚   β”œβ”€β”€ Token validation against /ws/v1/metadata
β”‚   β”œβ”€β”€ Auto-refresh on expiry
β”‚   └── Error handling
β”‚
β”œβ”€β”€ PowerSchool OAuth Request (POST)
β”‚   └── Direct OAuth endpoint access
β”‚   └── Manual token retrieval (for testing)
β”‚
β”œβ”€β”€ Get Metadata (with token) (GET)
β”‚   └── Authenticated metadata endpoint
β”‚   └── Shows valid token usage
β”‚
β”œβ”€β”€ Get Metadata (without token) (GET)
β”‚   └── Public metadata access
β”‚   └── Shows response without authentication
β”‚
└── Get Students By District (GET)
    └── Example authenticated API request
    └── Returns district student data

Variables Reference

Collection Variables

  • psAuthToken – OAuth access token (auto-populated, do NOT manually edit)

Environment Variables (Set per PowerSchool instance)

  • psURL – PowerSchool domain (e.g., https://ps.asb.bh)
  • psClientID – OAuth client ID from PowerSchool admin
  • psClientSecret – OAuth client secret from PowerSchool admin

Console Logging

The collection provides detailed console logging for debugging:

Successful Token Validation:

⚠ Validating existing token...
βœ“ Token is valid. Plugin ID: 15334
βœ“ Auth token already set, proceeding...

Token Refresh:

⚠ Validating existing token...
⚠ Token is invalid. No plugin_id in metadata response
⚠ Token is invalid, getting new one...
⚠ Getting new authentication token...
βœ“ New token obtained successfully

Missing Credentials:

βœ— Missing required variables: psURL, psClientID, or psClientSecret

Open Postman Console (bottom-left) to view all logs.

Common Use Cases

Adding New PowerSchool API Endpoints

  1. Click “+” to add new request to collection
  2. Set method and URL: {{psURL}}/ws/v1/[endpoint]
  3. Add headers:
    • Authorization: Bearer {{psAuthToken}}
    • Accept: application/json
  4. Click Save

The collection pre-request script automatically handles authentication for all new requests.

Switching Between PowerSchool Instances

  1. Open Postman
  2. Click environment dropdown (top-right)
  3. Select desired environment
  4. Make request – collection script uses selected environment’s credentials

Manual OAuth Testing

  1. Click PowerSchool OAuth Request
  2. Verify environment is selected
  3. Click Send
  4. Token is extracted and stored in psAuthToken
  5. Check console for success/error messages

Validating Token Status

  1. Click Get Metadata (with token)
  2. Click Send
  3. Response shows current metadata with or without plugin_id
  4. If plugin_id is present, token is valid
  5. If plugin_id is missing, token will auto-refresh on next request

Error Handling

“Missing required variables”

Cause: Environment variables not set Solution: Add psURL, psClientID, psClientSecret to selected environment

“OAuth request failed with status 401”

Cause: Incorrect credentials Solution: Verify OAuth client ID and secret in PowerSchool admin portal

“Token is invalid. No plugin_id in metadata response”

Cause: Token lacks required permissions or is expired Solution: Token auto-refreshes automatically on next request

“Authorization header empty”

Cause: Token didn’t load before request executed Solution: Wait a moment and retry, or manually run OAuth request first

Best Practices

Security

  • βœ“ Never commit real credentials to version control
  • βœ“ Use Postman environments to store sensitive data
  • βœ“ Treat psClientSecret like a password
  • βœ“ Rotate OAuth credentials periodically

Organization

  • βœ“ Use meaningful request names
  • βœ“ Group related endpoints in folders
  • βœ“ Document expected responses in request descriptions
  • βœ“ Keep collection pre-request script clean and updated

Maintenance

  • βœ“ Test collection monthly with all environments
  • βœ“ Monitor PowerSchool API changes
  • βœ“ Update endpoints as PowerSchool APIs evolve
  • βœ“ Keep OAuth credentials current

API Endpoints Included

EndpointMethodPurpose
/oauth/access_tokenPOSTOAuth token retrieval
/ws/v1/metadataGETSystem metadata (with & without token)
/ws/v1/districtGETDistrict information

Next Steps

  1. Create Environments: Add your PowerSchool instances as separate environments
  2. Set Credentials: Configure psURL, psClientID, psClientSecret per environment
  3. Test Collection: Run requests and verify token validation in console
  4. Extend Collection: Add more endpoints as needed using the same patterns

Support & Troubleshooting

Check Console Logs

Open Postman Console (bottom of screen) to see detailed execution logs including:

  • Token validation results
  • OAuth request status
  • Variable resolution
  • Error messages

Validate Token Manually

  1. Run Get Metadata (with token)
  2. Look for "plugin_id" in response
  3. If present: Token is valid βœ“
  4. If missing: Token needs refresh (auto-handled)

Test OAuth Endpoint

  1. Run PowerSchool OAuth Request
  2. Check console for:
    • βœ“ Set psAuthToken as [token] – Success
    • βœ— OAuth failed... – Check credentials

FAQ

Q: Do I need to manually get a token? A: No. The collection automatically manages tokens. Manual OAuth request is only for testing.

Q: Can I use this with multiple PowerSchool instances? A: Yes. Create separate environments for each instance and switch between them.

Q: What happens if my token expires? A: The collection automatically detects expiry and refreshes the token before the next request.

Q: Where is my token stored? A: In the collection variable psAuthToken. It persists across environment switches.

Q: Can I see what the script is doing? A: Yes. Open Postman Console (Ctrl+Alt+C or Cmd+Option+C) to view detailed logs.

Q: How often do tokens refresh? A: Only when they expire or are invalid. Valid tokens are reused across requests.

Author: Prince PARK
Version: 1.0
Last Updated: March 26, 2026
Created For: PowerSchool API Integration
Requires: Postman 10.0+

Posted on

Configure Azure (SAML as idP) For PowerSchool

Component Role
PowerSchool Service Provider (SP)
Azure AD (Entra ID) Identity Provider (IdP)
User Browser-based authentication
  • PowerSchool can only be setup to point to one and only one SAML identity provider.
  • PowerSchool SIS currently supports only one IdP at a time
    • SAML/WS-Trust
    • OIDC/OpenID Connect
  • user ID attribute is used in the SAML authentication are
    • psguid aka β€˜PowerSchool’s own global unique identifiers’
    • state-id aka β€˜State identifiers’

PowerSchool will expect an authenticationId attribute from the identity provider during a successful single sign-on

User Type Attribute Value Source
admin authenticationId psguid U SERS.PSGUID
admin authenticationId state-id USERS.SIF_STATEPRID
guardian authenticationId psguid GUARDIAN.PSGUID
guardian authenticationId state-id GUARDIAN.STATE_GUARDIANNUMBER
student authenticationId psguid STUDENTS.PSGUID
student authenticationId state-id STUDENTS.STATE_STUDENTNUMBER
teacher authenticationId psguid USERS.PSGUID
teacher authenticationId state-id USERS.SIF_STATEPRID

Step 1: PowerSchool SSO Plugin

plugin.xml

<?xml version="1.0" encoding="UTF-8"?>
<plugin xmlns="http://plugin.powerschool.pearson.com"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xsi:schemaLocation="http://plugin.powerschool.pearson.com plugin.xsd"
    name="Azure SSO - SAML IdP" version="1.0.2" description="Azure SSO - SAML as IdP Plugin">
    <saml
        name="mantle-test-powerschool"
        idp-name="azure-identity-provider"
        idp-entity-id="https://sts.windows.net/<tenant_id>"
        idp-metadata-url="https://login.microsoftonline.com/<tenant_id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app_id>">
        <attributes>
            <user type="teacher">
                <attribute name="authenticationId" attribute-value="state-id" />
                <!-- <attribute name="authenticationId" attribute-value="psguid" /> -->
            </user>
            <user type="admin">
                <attribute name="authenticationId" attribute-value="state-id" />
                <!-- <attribute name="authenticationId" attribute-value="psguid" /> -->
            </user>
            <user type="student">
                <attribute name="authenticationId" attribute-value="state-id" />
                <!-- <attribute name="authenticationId" attribute-value="psguid" /> -->
            </user>
            <user type="guardian">
                <attribute name="authenticationId" attribute-value="state-id" />
                <!-- <attribute name="authenticationId" attribute-value="psguid" /> -->
            </user>
        </attributes>
    </saml>
    <publisher name="PrincePARK">
        <contact email="prince_ppy@yahoo.com"></contact>
    </publisher>
</plugin>

saml Attributes

Property Description Can Modify
name The name of the service provider. Must provide a short name that will become part of the addresses used during SAML communication. No
idp-name The name of the identity provider. Yes
idp-entity-id The entity ID of the identity provider. Defined in the form of a URI. Yes
idp-metadata-url The URL from which the PowerSchool can obtain a copy of the identity provider metadata. . Yes

The identity provider must also be configured to return an authenticationId attribute on a successful single-sign on. This attribute must contain the either or identifier (as defined in the plugin).

From https://sts.windows.net/<tenant_id> and https://login.microsoftonline.com/<tenant_id>/federationmetadata/2007-06/federationmetadata.xml?appid=<app_id>">, <tenant_id> and <app_id> wil be replaced by the respective value

Step 2: Plugin Installation

  • Install the Azure SSO - SAML IdP Plugin to PowerSchool
  • Enable the plugin
  • Restart the PowerSchool Instance

Step 3: Plugin Configuration

Open PowerSchool Plugin Page > β€˜SAML Service Provider Setup’ Page

Local Service Provider Settings > Name field serve as the entity_key for the Azure Single Sign On > Identifier (Entity ID)

Step 4: Configuring Azure SAML IdP

  • Azure Portal β†’ Enterprise Applications
  • Create Non-gallery new application (app name PowerSchool SSO)
  • Enable Single Sign-On
  • Select SAML
  • from Set up Single Sign-On with SAML Configure Basic SAML Settings (Azure)
    • Identifier (Entity ID) β†’ from PowerSchool https://mantleai-test.powerschool.com:443/saml/entity-id/mantle-test-powerschool
    • Reply URL (ACS URL) β†’ from PowerSchool https://mantleai-test.powerschool.com:443/saml/SSO/alias/mantle-test-powerschool
  • from Set up Single Sign-On with SAML Configure Claims & Attributes

Typical PowerSchool-required claims:

Claim Azure Source
Unique User Identifier (Name ID) user.userprincipalname
emailaddress user.mail
givenname user.givenname
name user.userprincipalname
surname user.surname

Make Sure the below claim is avaliable

Claim Azure Source
authenticationId user.mail

Step 5: Finish PowerSchool Plugin SAML Service Provider Setup

From Azure Set up Single Sign-On with SAML page copy App Federation Metadata Url and Microsoft Entra Identifier

Open PowerSchool Plugin Page > β€˜SAML Service Provider Setup’ Page,

  • Copy Microsoft Entra Identifier from Azure to External Identity Provider Settings > Entity ID in PowerSchool SAML Service Provider Setup Page
  • Copy App Federation Metadata Url from Azure to External Identity Provider Settings > Metadata URL in PowerSchool SAML Service Provider Setup Page

Notes Assertion Consumer Service (ACS) URL: Where Azure sends the SAML response

Posted on

SelfSigned Certificate for WebApplications (PowerSchool Test Server)

When we are creating a PowerSchool in OnPrimise, One of the difficult part is to generate a proper self-signed certificate. This blog is for all the PowerSchool administrators out there who have to Build the PowerSchool Test server or they want to Dump the Latest database backup to the test server.

OpenSSL

commonly we use OpenSSL to generate the certificate, by default OpenSSL is not available in Windows Server. Below are the steps (Credits to: https://tecadmin.net/install-openssl-on-windows)

Step 1 – Download OpenSSL Binary

You need to download the latest OpenSSL Windows installer file. Click the below link to visit the OpenSSL download page https://slproweb.com/products/Win32OpenSSL.html

Step 2 – Run OpenSSL Installer

Now run the OpenSSL installer on your system. The OpenSSL required Microsoft Visual C++ to be installed on your system. If your system doesn’t have Microsoft Visual C++ installed, the installer will show your message like:

Click Yes to download and install required Microsoft Visual C++ package on your system.

Then again run the OpenSSL installer and follow the wizard.

Make sure you change the folder to “C:\OpenSSL-Win64” for easy handling in later stage

Step 3 – Setup Environment Variables

Now set the environment variables to function OpenSSL properly on your system. You are required to set OPENSSL_CONF and Path environment variables.

Use the following commands to set the environment for the permanently (use PowerShell):

[System.Environment]::SetEnvironmentVariable('OPENSSL_CONF','C:\OpenSSL-Win64\bin\openssl.cfg', 'Machine')
$Path = [Environment]::GetEnvironmentVariable('PATH', 'Machine') + [IO.Path]::PathSeparator + 'C:\OpenSSL-Win64\bin'
[System.Environment]::SetEnvironmentVariable('Path',$Path, 'Machine')

Step 4 – Run OpenSSL Binary

Open cmd / powershell and test ‘openssl’

Generating Self-Signed certificate via OpenSSL

Please change the below names according to your situations
(credits to https://stackoverflow.com/questions/10175812/how-to-generate-a-self-signed-ssl-certificate-using-openssl)

  • powerschool.local.school => to your test server FQDN
  • -subj “/C=BH/ST=Riffa/……CN=powerschool.local.school” => to your version
  • subjectAltName => alter DNS and IP to match your server settings
# generate selfsigned certificate and key for 10 years with specific Subject and Additional subjectAltName

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 \
  -nodes -keyout powerschool.local.school.key -out powerschool.local.school.crt -subj "/C=BH/ST=Riffa/L=Riffa/O=School/OU=PowerSchool/emailAddress=prince@xxxxxxx.com/CN=powerschool.local.school" \
  -addext "subjectAltName=DNS:powerschool.local.school,DNS:powerschool-altername.local.school,IP:172.10.1.151,IP:172.10.1.152"

the above code process will generate the key file in the modern format (PKCS#8), which PowerSchool doesn’t like. We need to manually convert the key file to traditional format (PKCS#1)

# traditional format (pkcs1)
$ cat pkcs1.pem
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----

# modern format (pkcs8)
$ cat pkcs1.pem
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# Convert from PKCS#8 to PKCS#1:
openssl pkey -in powerschool.local.school.key -traditional -out powerschool.local.school.rsa.key

The above code will generate a new key file (‘powerschool.local.school.rsa.key’) from your available modern key file (‘powerschool.local.school.key’)

Additional usefull commands

# Convert from PKCS#1 to PKCS#8:
openssl pkey -in pkcs1.pem -out pkcs8.pem

# Convert from PKCS#8 to PKCS#1:
openssl pkey -in pkcs8.pem -traditional -out pkcs1.pem

# RSA private key - To convert from PKCS#1 to PKCS#8:
openssl pkcs8 -topk8 -inform pem -in private_pkcs1.pem -outform pem -nocrypt \
 -out private_pkcs8.pem

# RSA private key - To convert from PKCS#8 to PKCS#1:
openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem

# RSA public key - To convert from PKCS#8 to PKCS#1:
openssl rsa -pubin -in public_pkcs8.pem -RSAPublicKey_out -out public_pkcs1.pem

# RSA public key - To convert from PKCS#1 to PKCS#8:
openssl rsa -RSAPublicKey_in -in public_pkcs1.pem -pubout -out public_pkcs8.pem

# Create SSL identity file in PKCS12
openssl pkcs12 -export -in example.com.crt -inkey example.com.key -out example.com.pfx

# Convert P12 into PEM
openssl pkcs12 -in powerschool.local.school.pfx -nocerts -nodes -out powerschool.local.school.key
openssl pkcs12 -in powerschool.local.school.pfx -clcerts -nokeys -out powerschool.local.school.crt
openssl pkey -in powerschool.local.school.key -traditional -out powerschool.local.school.rsa.key

Additional Readings