Sorry for the delay on a response. Hopefully this information is more helpful:
Right now an external tool has two ways it can get an API key for a Canvas user. First, the external tool can ask the user to generate one manually in the user's profile, and copy and paste it into their application somewhere or. The second way is for the external tool to use a developer key to ask for one, server to server. In this server scenario, a user who starts the app or launches it from within Canvas will see a screen where "Tool ______ is requesting access to your account." Once the user selects the Authorize button, Canvas issues an API token for that user to the application. This second method is preferred and more secure due to the api token never been placed in a web page or put somewhere it could be easily intercepted or compromised.