Data handling

This page aims to answer some common queries about how data is handled by the Numbas LTI tool.

The Numbas LTI tool provider runs entirely on your own server. All data is saved on your server, and nothing is sent back to Newcastle University.

You are responsible for ensuring the security of data held by the Numbas LTI tool and for managing the data lifecycle.

When a resource on the LTI provider is launched, the client’s device sends a request containing some data generated by the tool consumer, following the Basic LTI standard. This information is cryptographically signed using the OAuth protocol. It contains at least a unique identifier for the link and a unique identifier for the user opening the link. This identifier might correspond to a username on the consumer.

The LTI tool can send scores for students’ attempts at Numbas resources back to the tool consumer, using the Basic LTI Outcomes Service. Data is sent using a request signed using OAuth, to an address provided by the tool consumer.

If you have set up an editor link, the LTI tool will occasionally request a list of available exams from the linked editor. This request is made anonymously, and no personally identifying information is sent.

User roles


A user with ‘administrator’ or ‘superuser’ privileges can see all data held by the LTI tool provider. They can manage consumers through the management interface, and access all resources without making an LTI launch.


When a user opens a resource through an LTI launch which specifies the ‘Instructor’ role, they are shown the management dashboard for that resource.

They can see all student attempt data relating to the resource.

They can download summary data about student attempts, including identifiers and scores.


When a user opens a resource through an LTI launch which specifies the ‘Student’ role, they are shown their own attempts at that resource. They can not see any other student’s attempts.