Bloom supports the LTI 1.3 standard, so it can be embedded as an external tool in any LTI 1.3 compatible Learning Management System. Once connected, students click a Bloom link from inside their course in the LMS and land in the right Bloom, signed in, with no separate password. The integration is vendor-neutral: Bloom does not ship LMS-specific code, so the same setup process works regardless of which LTI 1.3 platform your institution runs.
Setup is a two-sided exchange. Your LMS administrator gives Bloom four URLs and a client ID, Bloom gives the LMS three endpoint URLs and a public key, and the connection is live. The whole thing usually takes one short call between your IT team and Bloom.
Before you start
You will need:
- Administrator access to your LMS (Canvas, Moodle, D2L Brightspace, Blackboard, Sakai, or any other LTI 1.3 compatible platform). LTI 1.3 is an IMS Global standard, so the registration steps are similar across platforms even though the menu names differ.
- Your institution must already have an Organisation record in Bloom with LTI: Enabled. The Bloom team enables this when you start the integration.
- A Teaching Space and at least one Bloom set up that you want students to land in. See How to create your first Bloom if you have not done this yet.
How the launch flow works
When a student clicks a Bloom link inside your LMS, four things happen, in order:
- OIDC login init. Your LMS sends a POST to Bloom’s OIDC endpoint with the issuer (
iss),login_hint, andtarget_link_uri. Bloom looks up your platform record by issuer URL and redirects back to your LMS’s authorisation URL. - Signed launch. Your LMS posts a signed JWT (
id_token) back to Bloom’s launch endpoint. Bloom fetches your public key from your JWKS URL and verifies the signature using RS256. - Claim validation. Bloom checks the LTI message type is
LtiResourceLinkRequest, the version is1.3.0, the audience matches the Tool Client ID, the token has not expired, and the nonce has not been seen before (replay protection, with a 5 minute window). - Redirect. If everything checks out, Bloom redirects the student to the
target_link_uriclaim, which is the specific Bloom or chat URL you configured the LMS link to point at.
Authentication after a successful launch is handled by a server-side lti_session JWT cookie. If LTI validation ever fails, the same handler falls back to standard Auth0 sign-in, so students with a direct Bloom account can still get in.
Step 1: Register your LMS with Bloom
Send the Bloom team the following four values from your LMS:
- Platform URL (Issuer): the canonical URL of your LMS instance, for example something like
https://canvas.youruniversity.eduorhttps://lms.yourschool.org. This is what your LMS sends as theissclaim. - Tool Client ID: the client ID your LMS will issue when you register Bloom as a developer tool, on the LMS side. Some LMSes generate this when you save the tool config; others let you specify it.
- Authorization URL: your LMS’s OIDC authorisation endpoint, used in the redirect during step 1 of the launch flow.
- Access token URL: your LMS’s OAuth 2.0 token endpoint.
- Redirect URI: the redirect URI your LMS expects Bloom to use after authorisation.
- JWKS URL: the URL on your LMS that publishes the public keys Bloom will use to verify launch JWTs. Bloom sets the auth method to
RSA_KEYby default, fetched live from this URL on every launch.
The Bloom team enters these into the LTI Connections panel under the Organisations admin page. The form looks like this:
Step 2: Configure Bloom as an external tool in your LMS
Once Bloom is registered, the Bloom team will send you three URLs to paste into your LMS’s external tool configuration:
- OIDC login URL:
https://app.bloom.study/api/lti/oidc - Tool launch URL (Target Link URI): typically
https://app.bloom.study/api/lti/launchTool, or a deeper URL for a specific Bloom. - Public keyset URL (JWKS): published by Bloom for your registration so your LMS can verify any signed messages from Bloom.
The LMS-side menu where you paste these is named differently across platforms (for example, Developer Keys in Canvas, External Tool in Moodle, Manage Extensibility in D2L Brightspace), but the fields are the same: an OIDC login URL, a launch URL, a public keyset URL, and a client ID that the LMS issues back to you.
After the tool is registered, an instructor adds Bloom to a course as an external tool link. The link target should match a Bloom URL you want students to land on, for example a specific Bloom’s chat page.
Step 3: Test the launch
From a student account in your LMS, click the Bloom link inside a course. You should land directly in the configured Bloom with no Bloom login prompt. The student’s LMS identity (subject claim) is used to identify them, and they are signed in via the lti_session cookie.
If the launch fails, Bloom returns a 400 invalid_request response with an array of specific error strings. The most useful are listed below.
Common issues
“Issuer invalid: not registered”
The iss claim sent by your LMS does not match any Platform URL (Issuer) in Bloom’s registry. Most often this is a trailing slash, a typo, or a different domain (for example a sandbox vs. production LMS). Confirm the exact issuer your LMS sends and ask the Bloom team to update the platform record.
“Audience invalid”
The aud claim does not match the Tool Client ID Bloom has on file. This usually means the client ID was regenerated on the LMS side after Bloom was registered. Send the new client ID to the Bloom team.
“Algorithm invalid” or signature errors
Bloom only accepts RS256. If your LMS is configured to sign with a different algorithm, or the JWKS URL returns a key that does not match the JWT’s kid header, the launch will fail. Verify the JWKS URL is reachable, returns valid JSON, and contains the expected keys.
“Nonce is invalid”
Each launch nonce is single-use and expires 5 minutes after the OIDC login init. If a student refreshes a stale launch URL or replays a captured request, the nonce check rejects it. Ask the student to click the link in the LMS again rather than reloading the Bloom tab.
“Target Link URI invalid”
The target_link_uri in the signed JWT does not match the one your LMS sent during OIDC login init. Double-check that the launch URL configured in your LMS for this tool exactly matches the target Bloom URL.
What’s next
- Email hi@bloom.study with the four LMS values listed in Step 1 to start your registration.
- Set up the Teaching Space and Blooms students will land in → Teaching Space overview
- Want to roll out without LTI for now? Invite students directly → Invite students