Showing results for 
Search instead for 
Did you mean: 
Community Team
Community Team

All things API

Have a question about the Canvas APIs? Have a cool API integration you'd be willing to share? If so, please post here.

Labels (1)
Tags (1)
271 Replies

The first code snippet that you had was missing the : between Authorization and Bearer. The second post that you have uses account ID of 1. I would try using self instead of 1. If you are using a hosted account, which it looks like since you have in the url, there is a really good chance (approaching 100%) that you do not own account 1. That would give you unauthorized error. It may be something else, but those are two things that jump out at me in the code you supplied.


I was indeed missing the : which was my mistake. That is corrected now. Thank you!

That, combined with a (fifth) token change per‌'s suggestion, seems to have done the trick for now. Thank you both!

Community Member

I want to authenticate access to a canvas webpage based not on an API token key, but on an existing session, so that people have to log into accounts that have the matching permissions in order to access the page. How can I do this in Canvas?

EDIT: I am using Laravel, if it's of any interest, and I am making my own custom webpages for it., Canvas lacks fine grade access control at the level of individual pages - to a first approximation, all of the content in a course has the same level of access as any other. However, finer-grained access control can be done for an LTI application that has been installed.  You can see examples of doing this authentication in Ruby at (see the SinatraTestxx.rb, chipit.rb, and adminit.rb programs). The LTI application runs in a frame within the Canvas window. One could use an LTI app to provide very fine-grained access control or even a capabilities based access control mechanism, but you would have to implement all of the mechanism yourself.

Note that one could store a given user's capabilities using the user's custom_data (see I have used this type of data to store information about a student's program of study (in the above ruby program). Now before the LTI app presents data to the user it can check the custom_data for a capability to access this data.

Thank you. Do you have any advice for someone using Laravel?

I do not have any experience with Laravel. However, as it is a PHP environment - you should be able to make your public/index.php file do the Oauth verification - presumably using Laravel's Passport.

Community Member

EDIT: For anyone reading this and using Laravel/Canvas, I would not recommend using Passport for OAuth2 authentication/authorisation. Passport creates an OAuth2 server in your project for you to use; Canvas already has one created for you. You can create clients, developer keys and such on Canvas. See here:
Developer Keys - Canvas LMS REST API Documentation 

OAuth2 - Canvas LMS REST API Documentation 

I'm getting data on user accounts (as can be seen here Users - Canvas LMS REST API Documentation ). You can see an example of what this looks like for me in the picture below.

Is it possible to add a field value to this array for users? If so, how, and is it recommended?

325251_pastedImage_1.png, what kind of field to you want to add? I frequently use joins/cats/... and other operations by using python Pandas - so I can put together user information with other information - such as how has been assigned as a peer reviewer for whom. See for example: Canvas-tools/ at master · gqmaguirejr/Canvas-tools · GitHub  and Canvas-tools/ at master · gqmaguirejr/Canvas-tools · GitHub 


I was thinking something as simple as a permission field. e.g for one user it might read "permissions => default", while an admin would read "permissions => admin". How would that go about?

For clarity's sake, this is in PHP, via the Laravel framework, You can easily pass via the LTI interface information from Canvas about what roles a user has.

However, building a full permissions based access scheme where different people with the same role have different permissions requires storing this information somewhere - thus is were the custom user information could be used.