API Authentication Practices

nardell
Community Participant

When I have experimented with Canvas APIs I have used access tokens that I create from my account. Seemed like a reasonable way to get going with tests. However when I consider moving the API code to production (for things like monitoring and reporting) I will need to set up automated processes that can authenticate for API access. I am asking the community what is considered the best-practice for API access authN/authZ when building automated processes. 

I am considering setting up a functional user (with permissions and account scope set according to need) and creating an access token from that user. Alternatively,  I am planning on creating a developer key from the scoped functional user account. Wanted to know if there are any recommendations on specifics. I like the look of the new scoped developer keys, however it is not clear if I can scope a developer key to only have access a particular sub-account (without using a a sub-account scoped function user.) 

Again thanks for any advice.

Mike