Is it okay for an institution to share the client_id and client_secret with an application?

Community Member

We are currently developing an LTI 1.3 application to integrate with Canvas. For that we install an "LTI Key" Developer Key in Canvas. The application will also need to have access to the Canvas API, so that LTI Key alone isn't enough.

For testing purposes, we are generating access tokens for our admin user and sharing them with the application. However, that goes against Canvas' Terms of Service.

Ideally we'd like to use the OAuth flow, where we obtain access tokens from users. But for that it seems we need to also configure an "API Key" Developer Key, and have the application know these `client_id` and `client_secret` values. How are these values supposed to be shared with the application? Is it okay (not against the Terms of Service) for an institution admin to share these values with the application?

I know with LTI 1.1, when you configure an App you need to specify a pair of consumer key/secret, and those are typically provided by an application. So in LTI 1.1 this is no problem. But how is this typically done for LTI 1.3 applications?

Thank you!