Change the name of the "Developer Key" feature

Idea created by Jared Chapman on Apr 9, 2018
    Open for Voting
    • John Boekenoogen
    • Charles McCann

    As an LTI developer, I spent a lot of effort (with the help of some remarkable Canvas developers like Cody Cutrer) developing a framework to request course access tokens using a developer token. It really is a slick way to do things.


    BUT..., clients really get spooked by that name: "developer key". Think about it, if a "course key" gives you access to all the data in a course, then a "developer key" gives you access to everything in an Canvas instance, right? WRONG. But that is the logic that many clients go through when I ask for a "developer key". Universities are VERY bureaucratic places and this simple misunderstanding adds weeks and sometimes months to the approval process. You could fix this problem with a simple interface change and dramatically lower the cost of doing business for 3rd party developers.


    As evidence of this problem and the distrust the name "developer key" creates, I point you to this thread: Developer key or data access token? 


    So, my request is that we change the name from "developer key" to "authorization request code" or something like that, and that a brief explanation of what the code does and how it is limited be added to the interface.


    Thank you!




    For the record, a "developer key" does NOT give developers access to any data on it's own; it is not an access token. A developer key only allows LTI code to ask Canvas, to ask the user, to authorize and provide an access token via secure OAuth. The scope of what LTI code can ask for is still limited by the access token it receives--TO THAT CLASS, FOR THAT USER. Without the developer key the user has to manually go into the bowels of canvas, manually generate an access token, copy and then paste that token into a form the LTI provides, and then it works the same. This is described in the above link: "[the developer token] method is preferred and more secure due to the api token never been placed in a web page or put somewhere it could be easily intercepted or compromised." The developer token is just a simplified and more secure way to request an access token.


    Also, there are several limits on what I can access using a developer key. I cannot ask for an api token until the client manually adds my LTI to a course. I cannot access any data until the user approves the access token request in that course. And then I can only access data within the scope of that user in that course. Also, users can deny access within their scope by expiring specific access tokens. Also, developer tokens only work for a specific domain, I cannot share it with other people, it will only work for authorize token requests coming from my unique domain name. Also, the request for an access token is pretty complex and very secure using the OAuth authorization standard. It ensures that we know and trust each other before I can request an access token.