Community Help

brandon42 · ‎05-28-2025

Hello Canvas Community,

We are working on an integration using the Canvas LMS API, and are attempting to generate an access token for a student using the endpoint:

POST /api/v1/users/:user_id/tokens
https://www.canvas.instructure.com/doc/api/access_tokens.html

We are using an admin-level access token

However, we are experiencing issues:

The token is not returned, or is returned in a "pending" state with no "token" value.
There appears to be no way to activate the pending token programmatically or via impersonation.
We could not find clear documentation or UI references on how a specific user (e.g., the student) can manually activate a pending token created by an admin

chriscas · ‎05-29-2025

Hi @brandon42,

May I ask why you're attempting to create individual user access tokens? I think that is going to be a very frowned upon practice overall.

The more common route would be to use a Developer Key / oAuth2 flow to be able to do API calls on behalf of users.

-Chris

View solution in original post

chriscas · ‎05-29-2025

Hi @brandon42,

May I ask why you're attempting to create individual user access tokens? I think that is going to be a very frowned upon practice overall.

The more common route would be to use a Developer Key / oAuth2 flow to be able to do API calls on behalf of users.

-Chris

jwals · ‎05-30-2025

Hi @brandon42,

When you use that API endpoint to create a token on a user's behalf, that user must activate it themselves; I don't have a screenshot handy but when they look at their tokens it will be in the "Pending" state and they will have an "Activate" button they can click. If you hit that POST endpoint for your own user account you should be able to see it. An admin masquerading as the user can explicitly not activate the token and there is no programmatic way to do so, which is a reasonable security consideration on Instructure's part to guarantee that tokens really truly belong to the user they're associated with. If you are trying to make API calls on behalf of other users, the oAuth 2 flow that Chris references is the appropriate way to do so. Lastly, I'm assuming you deleted that token or never activated it, but be careful with your screenshots -- putting that full text token out there could give someone access to your Canvas instance!

Unable to Generate Access Token for Student via Admin Access Token

Admin

New Media Player in open source version

Canvas API adds "-#" to the end of the URL when cr...

Question on the File API UUID Deprecation

displaying and submitting a student_annotation ass...

Gray screen for Microsoft OneDrive LTI - Local hos...

Canvas API Working Without Token?

New Media Player in open source version

Canvas API adds "-#" to the end of the URL when cr...

Question on the File API UUID Deprecation

Does Canvas provide /files/:id/create_success?uuid...

You're signed out

Unable to Generate Access Token for Student via Admin Access Token

Community Help

View our top guides and resources: