The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December.
Read our blog post for more info about this change.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community
- Groups
- Developers Group
- Forum
- Canvas API Access Question (Higher Education)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Found this content helpful? Log in or sign up to leave a like!
Canvas API Access Question (Higher Education)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2023
09:34 AM
SUMMARY
Hi everyone, to get access to a student’s canvas information through the Canvas API, does only the student need to grant access or do (a) the teachers or (b) the college/university as a whole need to as well?
Thank you so much !
FURTHER DETAILS
Hello everyone !
We’re using canvas to incorporate student information in our app (for example, a student’s class schedule, grades on assignments, or number of messages sent through canvas).
Each student can generate a canvas token so that a third-party app can access their canvas account, as I understand it. I’m hoping to ask: does only the student need to generate this token to grant access, or does (a) the professor/teacher running the class or (b) the college/university need to as well?
We’d really appreciate any help figuring this out. We’re new developers and it would really help us ! Thank you so much !
I hope you’re doing well and that you have a wonderful day !
Solved! Go to Solution.
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2023
12:43 PM
Hi @rcreadii
If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.
That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.
Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.
I hope this helps!
3 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-27-2023
12:43 PM
Hi @rcreadii
If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.
That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.
Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.
I hope this helps!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-28-2023
04:40 PM
Hi @DecoyLex, thank you and understood on all points !
I don’t know if you know how much time you’ve just saved us ! Haha
If you have the time, I’m hoping to ask you a few follow-up questions. We would really appreciate your help !:
- I understand that students need to give their consent in order for us to access their Canvas data. However, do we first need to be approved by the university as part of an additional approval process?
- As we work on this we're hoping to get in touch with someone at Canvas who can help us as we develop. Would you have anyone in mind who you would recommend speaking with at Canvas? If not, no worries I just thought I'd ask !
Lastly, to tell you a little more about us, we’re a generative tech startup aiming to enhance student well-being at universities. I’m really hoping to pick your brain for 10-15 minutes on working with Canvas. It’s our team’s first canvas integration and from your last response any input you can provide would hold immense value to us ! We’d be enormously grateful for your knowledge. Would something like that be possible? Please kindly just let me know ! If so, I’ll try my best to make myself free at any time !
Thank you for your time and consideration ! We so appreciate your efforts and the clarity you’ve brought us.
I hope you have a great day !
I look forward to hearing from you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-22-2025
09:42 PM
Hi rcreadii,
Are you still working on this? I would love to get in contact I have a couple questions, please lmk!
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign inView our top guides and resources:
Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review AssignmentTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in