Community help

brandon42 · ‎05-28-2025

Hello Canvas Community,

We are working on an integration using the Canvas LMS API, and are attempting to generate an access token for a student using the endpoint:

POST /api/v1/users/:user_id/tokens
https://www.canvas.instructure.com/doc/api/access_tokens.html

We are using an admin-level access token

However, we are experiencing issues:

The token is not returned, or is returned in a "pending" state with no "token" value.
There appears to be no way to activate the pending token programmatically or via impersonation.
We could not find clear documentation or UI references on how a specific user (e.g., the student) can manually activate a pending token created by an admin

chriscas · ‎05-29-2025

Hi @brandon42,

May I ask why you're attempting to create individual user access tokens? I think that is going to be a very frowned upon practice overall.

The more common route would be to use a Developer Key / oAuth2 flow to be able to do API calls on behalf of users.

-Chris

View solution in original post

chriscas · ‎05-29-2025

Hi @brandon42,

May I ask why you're attempting to create individual user access tokens? I think that is going to be a very frowned upon practice overall.

The more common route would be to use a Developer Key / oAuth2 flow to be able to do API calls on behalf of users.

-Chris

jwals · ‎05-30-2025

Hi @brandon42,

When you use that API endpoint to create a token on a user's behalf, that user must activate it themselves; I don't have a screenshot handy but when they look at their tokens it will be in the "Pending" state and they will have an "Activate" button they can click. If you hit that POST endpoint for your own user account you should be able to see it. An admin masquerading as the user can explicitly not activate the token and there is no programmatic way to do so, which is a reasonable security consideration on Instructure's part to guarantee that tokens really truly belong to the user they're associated with. If you are trying to make API calls on behalf of other users, the oAuth 2 flow that Chris references is the appropriate way to do so. Lastly, I'm assuming you deleted that token or never activated it, but be careful with your screenshots -- putting that full text token out there could give someone access to your Canvas instance!

Unable to Generate Access Token for Student via Admin Access Token

Admin

Is it posible to get the self_enrollment_code trou...

Display LTI content in pages from Editor LTI Place...

Media Plugin for Canvas LMS

Is there a way to customize the format and structu...

Search API - return Courses with include[] data ?

UI for weekly progression idea

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

You're signed out

Unable to Generate Access Token for Student via Admin Access Token

Community help

View our top guides and resources: