The Instructure Community is in read-only mode as we prepare to migrate to our new Community platform in early December.
Community members cannot post or update content in the Community during this time. All content is still available to view.
Read our blog post for more info about this change.Found this content helpful? Log in or sign up to leave a like!
SUMMARY
Hi everyone, to get access to a student’s canvas information through the Canvas API, does only the student need to grant access or do (a) the teachers or (b) the college/university as a whole need to as well?
Thank you so much !
FURTHER DETAILS
Hello everyone !
We’re using canvas to incorporate student information in our app (for example, a student’s class schedule, grades on assignments, or number of messages sent through canvas).
Each student can generate a canvas token so that a third-party app can access their canvas account, as I understand it. I’m hoping to ask: does only the student need to generate this token to grant access, or does (a) the professor/teacher running the class or (b) the college/university need to as well?
We’d really appreciate any help figuring this out. We’re new developers and it would really help us ! Thank you so much !
I hope you’re doing well and that you have a wonderful day !
Solved! Go to Solution.
Hi @rcreadii
If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.
That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.
Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.
I hope this helps!
Hi @rcreadii
If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.
That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.
Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.
I hope this helps!
Hi @DecoyLex, thank you and understood on all points !
I don’t know if you know how much time you’ve just saved us ! Haha
If you have the time, I’m hoping to ask you a few follow-up questions. We would really appreciate your help !:
Lastly, to tell you a little more about us, we’re a generative tech startup aiming to enhance student well-being at universities. I’m really hoping to pick your brain for 10-15 minutes on working with Canvas. It’s our team’s first canvas integration and from your last response any input you can provide would hold immense value to us ! We’d be enormously grateful for your knowledge. Would something like that be possible? Please kindly just let me know ! If so, I’ll try my best to make myself free at any time !
Thank you for your time and consideration ! We so appreciate your efforts and the clarity you’ve brought us.
I hope you have a great day !
I look forward to hearing from you.
Hi rcreadii,
Are you still working on this? I would love to get in contact I have a couple questions, please lmk!
Community helpTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign inTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in
