Email Attribute Missing on Canvas User API

GillMertens
Community Member
7 hours ago

Hello Canvas Developers,

I'm building an application for my school as a project for one of my courses and authentication for this wil being handled by our own Canvas instance with OAuth2. But I encounter an issue with retrieving the email attribute via the users endpoint.

Details:

  • Canvas Instance Setup:
    I have set up our own Canvas instance (separate from our school instance) and created a developer key with enforce scopes disabled (for testing purposes).

  • Admin User Response:
    When I make a GET request to /api/v1/users/self while logged in as an admin user, I receive a response that includes the email attribute. For example:

{
  "id": 1,
  "name": "connected.ehb@...",
  "created_at": "2025-01-29T18:33:07-07:00",
  "sortable_name": "connected.ehb@...",
  "short_name": "connected.ehb@...",
  "sis_user_id": null,
  "integration_id": null,
  "sis_import_id": null,
  "login_id": "connected.ehb@...",
  "last_name": "",
  "first_name": "connected.ehb@...",
  "email": "connected.ehb@...",
  "locale": null,
  "effective_locale": "en",
  "permissions": {
      "can_update_name": true,
      "can_update_avatar": false,
      "limit_parent_app_web_access": false
  }
}
  • Regular User Response:
    However, when I perform the same request while logged in as a regular (non-admin) user, the email attribute is missing from the response. For example:
{
  "id": 10,
  "name": "Gill Mertens",
  "created_at": "2025-02-06T12:52:04+01:00",
  "sortable_name": "Mertens, Gill",
  "short_name": "Gill Mertens",
  "last_name": "Mertens",
  "first_name": "Gill",
  "locale": null,
  "effective_locale": "en-GB",
  "permissions": {
    "can_update_name": true,
    "can_update_avatar": false,
    "limit_parent_app_web_access": false
  }
}

My Question:
Since my developer key has global access (with enforce scopes disabled), I was expecting the email attribute to be returned regardless of the user’s role. Is there a specific parameter, setting, or privacy configuration in Canvas that controls the exposure of the email attribute for regular users? Or is this behavior intentional for privacy reasons even when scopes are not enforced?

Any insights or guidance on how to ensure the email is returned for non-admin users would be greatly appreciated!

Thank you for your help.

0 Likes