Does an LTI access token give access to full Canvas REST API?

rleonar7
Community Novice

I am interested in building an internal reporting tool that looks at several various Canvas-specific properties about a course, e.g. existence of 'Pages' in Canvas. I believe this type of information can be gathered from the Canvas Data Portal, or the Canvas REST API (or Graphql).

I am interested in using the OAuth client_credential flow to authorize my reporting tool to access Canvas REST API. Is this possible? It seems that the client_credential flow is tightly coupled with LTI tools... If I go through the process of getting an access token as an LTI, will that access token be able to access non-LTI Canvas REST APIs?

Another solution would be to provide a manually created Access Token to my application, effectively treating it as an API key, per this related Canvas Community discussion. I don't like this solution in that I lose the benefit of the bearer token being rotated every hour.

My plan right now is to use the OAuth auth code flow with a special 'non-user account' that will only be given access to the endpoints it needs (I'm actually not familiar with how a user's access to API endpoints is managed in Canvas, but I will work with my university's Canvas Administrators to help me with that part). I want to still get the benefits of a short-lived, often rotated bearer token. This solution means that I will have to store the user credentials and the developer key on my server... ce la vie.

Labels (1)
0 Likes