Hi All,

What information should I use to uniquely identify a canvas instance during an LTI launch? I need to be a 100% sure that the id token received is for a user in a particular school previously registered in my app. 

From what I have seen so far, the iss in the id_token is always the same (canvas.instructure.com, with env-specific variations), which makes it unusable for this end, particularly when self-hosted instances can also have that same iss. For instructure-hosted instances, the only other information I could use is the client_id, but is that unique across all instances? Is that the recommended way to go? Is there any other information I could use?

The jwks token validation url is also the same for all instructure-hosted instances. So, also not a good option to ensure uniqueness of instance. 

Thanks