I'm hoping to just get some confirmation that what I see is accurate.

If we have an LTI Tool that we want a user to be able to add via EduAppCenter or by URL (using consumer token and shared secret) this is expected to be confirmed via the oauth_signature on launch.

If the app additionally needs to access the API on behalf of the course admin, we have an additional OAuth 2.0 flow that allows us to get a bearer and refresh token (which isn't a JWT) which can then be used to do things like list quizzes in a course.

Then, if the app also needs to add subscriptions to data services, e.g. https://canvas.instructure.com/lti/data_services/scope/list we will need to obtain a JWT that that application then uses.

Finally, does using LTI2 registration URL to add an app change these at all (assuming the above is accurate)?

Is this correct?