Community Member

Access API from LTI

I am trying to access the Canvas Groups API, I need to retrieve information on group sets.

We currently authenticate via LTI 1.1 and LTI 1.3

How should I go about getting an access token for the API?

More information:

I have tried using devoloper keys 


However I get a 422 or 500 error after authorizing

2 Replies
Community Member

Hi Lyle,

Let's see if we can point you in the right direction. I wanted to check a couple of things first, as you are using developer keys, can I assume you are using OAUTH to then generate a user token and then using that user token for authorisation?

The developer key is intended for enabling OAUTH apps to securely authenticate a user and then generate a token on their account.

I will admit my knowledge of how you would do this from within LTI is rather limited (I have not developed an LTI app myself), however, should be able to go through the logic.

Also, can you possibly provide some insight into exactly what you are trying to attempt (almost a high level architecture), and is this for a small, limited number of users, or something wider you are looking to roll out? That will help ascertain a couple of different approaches.

I also did some digging through the community and managed to stumble across an example of an LTI that does OAUTH for access to the Canvas APIs also. It might not be in the same language, but, you may be able to review for the general logic GitHub - ucfopen/lti-template-flask-oauth-tokens: LTI template written in Python using the Flask fra...  

I found this linked in the following thread https://community.canvaslms.com/message/163191-re-all-things-api?messageTarget=all&start=250&mode=co... (which is a fantastic bedtime read!) lots of great little tidbits here and there.

While I haven't been able to give you a complete answer, I am hoping that points you in the right direction to get you started and link into a few extra resources within the community. Please let us know how you get on and if there is anything else we an do, we will absolutely do our best!


Community Member

Most LTI integrations will consume the user identity, get the user logged in, and then run a check in their database during the LTI launch to see if they have an access token for the user. If not, they will kick them through the OAuth2 flow to obtain the token and refresh token. A good app will encrypt and store the access token and refresh token in their DB on or related to the user record. It will also refresh the token before running requests if it is expired. Apps should also account for the possibility of a user deleting their access token so should be able to kick the user back through OAuth2 in the event that the token is not healthy.