How safe is your LRS data? Most likely it can be downloaded by anyone, doesn't matter which LRS you are using. However, this is no more insecure with Secure Tokens.
What is required to access LRS data?
You LRS generates Basic Authentication details that is configured in your LMS or your content. e.g. in your GrassBlade xAPI Companion.
This is like a username and password that is used by Experience API to read and write data to the LRS.
In most cases it has unrestricted access.
Then, Is Basic Authentication not safe?
Basic Authentication method in itself is pretty secure. However, the username and password are passed in the url when the content is launched.
They are passed in an encoded form, so its not obvious for everyone, but it can be easily decoded.
So, these are technically public.
Can Basic Auth details be misused by others?
Yes, it can be misused by others, and they can even download all the LRS data.
Can we use xAPI Content without passing these details?
No, it has to be passed, so we cannot do without it.
How does Secure Tokens works?
Secure Tokens are short lived random passwords generated by GrassBlade xAPI Companion, in such a way that GrassBlade LRS can understand them. But, they have limited and restricted access.
Currently there are three security levels. All these levels have a 24 hour token life:
1. Low: Access to user's own statements only.
2. Medium: Access to user's own statements for the specific content only.
3. High: Access to user's own statements for the specific content, when accessed from the IP of the user this token was generated for.
So, if a user finds the username and password in the URL, he will only have limited access to the LRS data.
With some custom coding custom levels can also be created. Secure Tokens can also be integrated with other LMS systems to work with GrassBlade LRS.