The Instructure Community will enter a read-only state on November 22, 2025 as we prepare to migrate to our new Community platform in early December. Read our blog post for more info about this change.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community
- Groups
- Developers Group
- Forum
- Use the canvas API from an LTI 1.3
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Found this content helpful? Log in or sign up to leave a like!
Use the canvas API from an LTI 1.3
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2020
09:40 PM
Hello, I am currently trying a demo application with LTI 1.3 and php (I am new to LTI development), I would like to be able to work with more data from the canvas API although of course, working directly with the api makes my application less interoperable, but since it is a demo I would like to experiment.
In order to achieve this, I have had some doubts:
1.- When the LTI canvas is being authenticated, it returns a key called "authenticity_token". What is this really? What is it for?
2.- How can I consume an endpoint of the canvas api from the LTI? Should I register an api key by obligation and ask the user to authorize the application to obtain my bearer token and consume the api?
3.- How can I identify the user and course in question for the relationship between the LTI and the API? The LTI gives me a custom id for the user, since the substitution of variables I cannot directly send the user id to my LTI (only the sisSourceId) and the user ID to consume the API is totally different from the one delivered in the LTI , same for the course id.
Solved! Go to Solution.
1 Solution
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2020
11:45 PM
Firstly LTI Advantage (which Canvas implements) allows you as a LTI 1.3 integration to make some API calls that other platforms (VLE/LMS) will also support. For these APIs you don't need any other key, you use the JWK registered with Canvas when you added your LTI developer key to sign these requests. The Canvas documentation pages for these endpoints are:
- https://canvas.instructure.com/doc/api/names_and_role.html
- https://canvas.instructure.com/doc/api/file.content_item.html
- https://canvas.instructure.com/doc/api/file.assignment_tools.html#lti_advantage
Instructure also have a few custom APIs that use the same authentication method, for example the API to lookup accounts, https://canvas.instructure.com/doc/api/accounts_(lti).html
- The "authenticity_token" isn't part of the LTI 1.0 Security specification, I don't know what it's used for but as far as I'm aware you can't use it to call any Canvas APIs.
- If you want to call any APIs that aren't LTI ones then you either need to generate a API developer key and get users to authorise the application after doing the LTI launch, or you need to generate a token as an admin and then use that token for all your requests, although if you go the admin token route watch out for rate limiting of your requests and also consider using the Masquerading parameter so that Canvas still does it's permission checks.
- If you want to know the internal Canvas details for the user then you should add some Variable Substitutions to your LTI launch so that the additional details you need are passed across. These will appear in the custom claim of the JWT that is sent across in the LTI launch.
1 Reply
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-30-2020
11:45 PM
Firstly LTI Advantage (which Canvas implements) allows you as a LTI 1.3 integration to make some API calls that other platforms (VLE/LMS) will also support. For these APIs you don't need any other key, you use the JWK registered with Canvas when you added your LTI developer key to sign these requests. The Canvas documentation pages for these endpoints are:
- https://canvas.instructure.com/doc/api/names_and_role.html
- https://canvas.instructure.com/doc/api/file.content_item.html
- https://canvas.instructure.com/doc/api/file.assignment_tools.html#lti_advantage
Instructure also have a few custom APIs that use the same authentication method, for example the API to lookup accounts, https://canvas.instructure.com/doc/api/accounts_(lti).html
- The "authenticity_token" isn't part of the LTI 1.0 Security specification, I don't know what it's used for but as far as I'm aware you can't use it to call any Canvas APIs.
- If you want to call any APIs that aren't LTI ones then you either need to generate a API developer key and get users to authorise the application after doing the LTI launch, or you need to generate a token as an admin and then use that token for all your requests, although if you go the admin token route watch out for rate limiting of your requests and also consider using the Masquerading parameter so that Canvas still does it's permission checks.
- If you want to know the internal Canvas details for the user then you should add some Variable Substitutions to your LTI launch so that the additional details you need are passed across. These will appear in the custom claim of the JWT that is sent across in the LTI launch.
Community help
To interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign inView our top guides and resources:
Find My Canvas URL Help Logging into Canvas Generate a Pairing Code Canvas Browser and Computer Requirements Change Canvas Notification Settings Submit a Peer Review AssignmentTo interact with Panda Bot, our automated chatbot, you need to sign up or log in:
Sign in