I am in the process of writing a basic tool (in PHP at the moment) to use within our institution which gets the current course code from where it was launched from then queries Canvas to get the term start date for that course. The tool then constructs a new URL then redirects to that with the course code and start date as it's parameters.

Since it is a simple tool, I don't think using API keys is required. So I am using an access token from a service account user. My question is, is it best practice to just to store the access token as a variable within the code? Also, since this is a basic tool, I am just handling the secret that is passed to it, the URL it redirects to is public information, so no security is needed for that, would this be ok?

For context, it's a tool to retrieve paper descriptors, the paper descriptor tool has been developed by our institution where it just needs courseCode & date as parameters. This LTI tool, when launch, just needs to get these two things from the course then redirect to the url with those two parameter where it will return a pdf of the given course code.

Thanks,
Jawyei Wong