Showing results for 
Search instead for 
Did you mean: 
Community Member

Getting a 422 (Unprocessable entity) error when attempting to execute grade passback

Jump to solution

I'm trying to get Canvas grade passbook to work.  I'm submitting to the endpoint

with the Authorization header

OAuth oauth_body_hash="6MfU9ZcvzMc6XPbdd1PNwiTF1d8=",oauth_nonce="ZiKbzAr8iYsoaUvEFKVV8t1tSrLnhfL6",oauth_signature="0J0XinNaZycfv0UoHcSpCJGYm6M=",oauth_consumer_key="OBSCURED",realm="",oauth_version="1.0",oauth_timestamp="1525367433",oauth_signature_method="HMAC-SHA1"

and the Content-Type header of "application/xml".  Below is teh body of the request...

<?xml version="1.0" encoding="UTF-8"?>

<imsx_POXEnvelopeRequest xmlns="">



















            <text>text data for canvas submission</text>







This is resulting in a  422 Unprocessable Entity error.  Can someone shed light on what this error means and what I can do to fix it?

28 Replies

Canvas will let you get away without having the body hash.  However, it shouldn't --- the body hash ("OAuth body signing " is a requirement in the IMS outcomes standard.

Other LMS will throw an error if you omit the body hash.

The double quotes are okay per se.

Our test tool at shows the headers and xml re send and we have double quotes in the auth header.   If you want to compare, you can access the tool with key/secret:

Looking at your auth header values, I wondering if they need to be url escaped.  We have things like oauth_body_hash="0zwSLXnU%2BihAZNZWhfCywpIjI6A%3D"

View solution in original post

Well hot damn!  That was the answer -- encoding the parameter values in the authorization header.  Thanks!  Let me know when you start your own company so I can come work for you.

Well, I did that some time ago, no vacancies at present.

Hi Peter,

Thanks for your support.

We are facing the same 422 response issues in the course for all student's assignments. But for all other courses grade service working fine.

Are there any settings changes required for that course?

we would greatly appreciate it if you kindly give me some feedback.

In the assignment settings, did you make sure that the external tool URL is exactly the same as the External App's launch URL?


Yes...We already check this...both URL are the same.


Unfortunately, no, we don't log the base string used to generate the signature. I'm pretty sure we use the header values you send, the http method, and the post body to build the base string. Fundamentally speaking, however, you should be able to use the same library you (I'm assuming) are using to validate the signature for the initial LTI request for your tool to also sign the POST request back to Canvas. I guess that would depend on the capabilities of that lib though...

I still suspect something weird going on with either the inclusion of the oauth_body_hash, or the quotes, but I could be wrong.

Community Member

I also ran into a 422 error when submitting grades back to Canvas, but the solution was related to the assignment. When the assignment is created, if the external tool URL isn't the exact URL of an existing tool (excluding additional parameters, e.g. ?x=foo&y=bar), it will fail. For example, if I have created an External App with a launch URL of and in the assignment settings I use, it will fail, even if I included the domain in the app configuration. Also, using an existing LTI library significantly reduces error potential.