Found this content helpful? Log in or sign up to leave a like!
Canvas API Working Without Token?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello everyone, I hope you are doing well. I figured I would post this question here as I didn't find anything similar in searching online. I am an admin for a canvas course that can generate API tokens and access the API this way. Recently, I have been trying to write some custom Javascript for my theme to detect a student's section. That is the only data that I really want to be pulled when a student is viewing the course so that content can change dynamically depending on whether they are enrolled in a particular section.
The odd thing that I just discovered is that as a student, I am able to call a GET requests through https://[instancename].instructure.com/api/v1/courses/[courseid]/enrollments?user_id=[studentid] by just going there in the URL while logged in as a non admin student. So I thought hmm what if I called it through fetch without any auth and see what happens.
And it worked, it serves the purpose I am looking for. But I can't help but wonder, why does it work? Everything in documentation suggests that you have to have an auth token or go through oauth. Is this intended functionality that I can rely on for my use case? Am I correct in understanding that maybe having auth in API calls is only needed when you are trying to manipulate data? If it is intended, I think this should be documented since I am pretty sure I am not the only one trying to do this.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since you're already logged in (or in your case, masquerading as a student), you're authenticated, and your authentication token and other session data (e.g., cookies) are stored in your web browser. When you make an API request, your browser simply uses the existing token to authorize the call
Most actions performed in Canvas are executed via the API—for example, GET
to retrieve course enrolment information, POST
to submit an assignment, or PUT/PATCH
to update a discussion post. The Canvas frontend makes these API calls behind the scenes and visually displays the resulting data, which is why a student can technically make API requests
The Permissions assigned to each role (e.g., Student, Teacher) determine what types of actions users can perform via the API
An Authentication token is required when calling the API from an external system. This token functions like a "username and password"—it authenticates your identity and allows you to make requests on behalf of that user.
Hope this helps. Feel free to let me know if you need any assistance using the API.