Feature catalog
Everything Chalk does, in one place.
Chalk is a roster sync, identity, and provisioning platform for K-12 districts. It connects to your SIS, becomes your IDP, and pushes clean data into Google Workspace, AD, and downstream apps. Free for schools.
Roster sync
Every major SIS, one canonical roster
OneRoster 1.1 push and pull against the four sources districts actually run. Chalk normalizes the messy bits so downstream systems see clean data.
PowerSchool
OAuth 2.0 client to the PowerSchool plugin endpoint. Full org, course, class, user, and enrollment sync.
Skyward
OneRoster {ONEROSTER_VERSION} REST client tuned for Skyward's pagination and identifier quirks.
Infinite Campus
OAuth 2.0 + OneRoster {ONEROSTER_VERSION} with handling for Campus-specific status codes.
OneRoster CSV
Drop any vendor's OneRoster CSV export into Chalk and treat it as a first-class source.
Quirk-handling, built in
Whitespace normalization, missing-identifier recovery, and `tobedeleted` status handled the way the spec actually says.
Push and pull
Use Chalk as a OneRoster consumer for your SIS, or as a OneRoster producer for downstream apps. Same data model either way.
SSO & Identity
Be your own identity provider
A full self-hosted IDP with the auth methods K-12 actually needs — from staff SAML to QR badges for kindergartners.
SAML 2.0 IDP
Auto-generated self-signed keypairs, metadata endpoint, and signed assertions. Drop SAML SPs into the console.
OIDC federation
Federate with upstream IdPs (Google, Microsoft, district SSO) or expose Chalk as an OIDC provider.
Password + Argon2
Argon2id password hashing for admin and staff accounts. Sensible defaults, configurable parameters.
QR badge login
Visual login for K-2 students. Admins generate, revoke, and audit badges from the console.
Picture password
Image-sequence login as an alternative for early-grade students who can't yet type.
Sessions & audit
Server-side sessions, configurable timeouts, and a complete audit log of every authentication event.
Migrate from Clever or ClassLink
Drop-in OAuth 2.0 replacement
Switch providers without rewriting your app integrations. Chalk speaks both compatibility dialects, plus a guided cutover.
Clever-compatible endpoints
OAuth 2.0 authorization flow, user info, and provisioning endpoints that match Clever's payload shape.
ClassLink-compatible endpoints
OAuth 2.0 plus role mapping (student / teacher / admin) that mirrors ClassLink's contract.
Export parsers
Import existing Clever or ClassLink export bundles directly — no manual schema mapping.
Guided cutover wizards
Step-by-step flows in the admin console for user mapping, role assignment, and per-app rollout.
Provisioning
Push the roster into Google and AD
Workspace, on-prem AD, and Entra all sync from the same canonical roster. Preview before you apply.
Google Workspace users
Create, update, and suspend users via the Admin SDK with domain-wide delegation.
Google OUs from SIS hierarchy
Org units derived automatically from your SIS school and grade structure.
Classrooms & groups
Provision Google Classroom rosters and Google Groups from OneRoster class enrollments.
Active Directory / LDAP
User provisioning, OU mapping, and group membership against on-prem AD or Entra.
Dry-run previews
See exactly what will change before any write hits production. Diff users, OUs, and group membership.
Scheduled cron sync
Per-tenant scheduler with full run history. Auto-suspend inactive users on a cadence you control.
Developer & integration
Chalk as your district's roster API
Once Chalk has the roster, every downstream app can consume it the same way — REST, webhooks, or CSV.
OneRoster 1.1 REST API
Read-only endpoints at /api/oneroster/v1p1/. Standards-compliant, no proprietary shape.
HMAC-signed webhooks
HMAC-SHA256 signed payloads with exponential backoff retry. Verify and trust at the edge.
CSV export with manifest
OneRoster CSV bundles with manifest.csv for downstream tools that expect file-based ingest.
Admin console
Server-rendered, no SPA bloat
Axum + Askama + HTMX. Fast to load, fast to operate, no JavaScript framework churn.
Dashboard
At-a-glance tenant health: last sync, user counts, recent audit events.
Sync management
Trigger, schedule, and inspect SIS, Google, and AD syncs from one screen.
Users directory
Search, filter, and inspect every provisioned user with their identity sources.
Identity & SSO config
Configure SAML SPs, OIDC clients, and password policy. Manage SSO partners.
Migration wizards
Clever and ClassLink cutover wizards live in the console — no CLI required.
Audit log
Every admin action, every authentication, every sync run — queryable and exportable.
SSO landing page
Self-hosted launchpad for your apps
Schools can add their own links to their tenant's SSO landing page, or pull approved listings from the curated marketplace.
Security & operations
Built for district IT review
Encryption, isolation, and audit logging that hold up to a security questionnaire.
AES-256-GCM at rest
SAML keypairs and other tenant secrets sealed at rest with authenticated encryption.
Master key rotation
Rotate the master key without taking the platform offline.
Audit logging
Every admin and authentication action logged with actor, target, and timestamp.
CSRF & security headers
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and SRI on CDN scripts.
Per-tenant Postgres isolation
Multi-tenant deployments use per-schema isolation — one tenant cannot read another's data.
Read the full posture
Threat model, key handling, and rotation procedures documented on the security page.
Deployment
Self-host or let us run it
Same product either way. SQLite for single-tenant self-host, Postgres for multi-tenant cloud.
SQLite embedded
Default for self-host. Zero external dependencies — one binary, one database file.
PostgreSQL multi-tenant
Per-tenant schema isolation, per-tenant connection pool, per-tenant scheduler.
CLI commands
init, sync, serve, status, import, export, migrate, google-sync, ad-sync, update.
Try it on your district's roster.
Free for schools, hosted or self-hosted. No credit card, no per-seat fees.