AnsweredAssumed Answered

Canvas Data (API) 401:Unauthorized

Question asked by Jack Butterworth on May 23, 2017
Latest reply on May 24, 2017 by Jack Butterworth

I'm attempting to access Canvas Data, using the API, following the guide set out by James Jones -Canvas Data API Authentication, but I'm running into a 401. Hopefully I'm just missing something simple, if anyone can see it I'd be grateful.


I'm using .NET, but the code shouldn't differ much for any other language. I've pasted my code below in case someone can spot anything untoward, or missing.


Please note that although I can't rule out there being something amiss with my GenerateHMACSignature function, it does produce the desired HMAC signature when using the example parameters given in James' article.


Generating HMAC token:

static string GenerateHMACSignature(string secret, string url, DateTime timestamp)
   var uri = new Uri(url);
   string query = "";
   if (uri.Query.Length > 1)
      var queryParams = uri.Query.Substring(1).Split('&').OrderBy(q => q);
      query = Combine(queryParams, "&");
   var parts = $"GET\n{uri.Host}\n\n\n{uri.AbsolutePath}\n{query}\n{timestamp:r}\n{secret}";

   using (HMACSHA256 hmac = new HMACSHA256(Encoding.Default.GetBytes(secret)))
      var hash = hmac.ComputeHash(Encoding.Default.GetBytes(parts));
      return Convert.ToBase64String(hash);


Making the request:

var timestamp = DateTime.Now;
var url = "";

var signature = GenerateHMACSignature(apiSecret, url, timestamp);
var request = WebRequest.CreateHttp(url);
request.Headers["Authorization"] = $"HMACAuth {apiKey}:{signature}";
request.Date = timestamp;