cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
atcarver
Community Contributor

Permissions generic account for API token generation?

Jump to solution

My team is considering setting up a separate generic admin account to use for API tokens. We'd use those tokens for our provisioning via API, so there's interest in not having them tied to an account (people leave the university, support, etc.).

My question is whether anyone else is doing this and if you could share any lessons learned from doing so?

Or, if you don't have a separate account for API tokens, have you found it to be an issue.

Thank you!

1 Solution
pklove
Community Champion

We always recommend this for our integrations.  Just make sure the generic account has a very complicated password.  And as no one logs in with the account it does not need to be remembered/recorded anywhere.  If you need to change the tokens you can change the password to log in at that time.

View solution in original post

3 Replies
Chris_Hofer
Community Coach
Community Coach

Hello  @atcarver  Welcome to the Canvas Community.  Thanks for posting your question.  I don't necessarily have an answer for you, but I wanted to let you know that I am going to share your question with the Canvas Developers‌ group here in the Community in hopes that your question will get some additional exposure.  If you are not yet following this group, please use the link that I have provided, and then click on the "Follow" button at the top right corner of the page.  Also, you may want to click on the "Actions" menu (also located in that same area of the screen) and then choose "Join group".  I hope this is okay with you, Andrew.  Good luck, and welcome again!

pklove
Community Champion

We always recommend this for our integrations.  Just make sure the generic account has a very complicated password.  And as no one logs in with the account it does not need to be remembered/recorded anywhere.  If you need to change the tokens you can change the password to log in at that time.

James
Community Champion

I agree with pklove.

As far as Canvas admins at our institution doing any integration work, it's pretty much just me. For the first five years or so, I used my credentials to do all the API stuff on the backend. There were a few times when things failed and I wondered, without hard proof, that what I was doing in the foreground may have been conflicting with what was going on in the background. What ultimately convinced me to switch was the data was seeping into the request logs and activity logs as me doing something, although it was a background process. I'm also a teacher and I thought it would be easier to track my real work from all that background work so I created a systems integration account.

It has one of those really long secure passwords generated using pwgen on Linux. I didn't even bother to write it down, I just used it long enough to log in and generate the access token.