Hi Lisa --

It's good to be concerned about giving out developer keys! 🙂  With a developer key, third party software can essentially masquerade as your users and interact with the Canvas API on their behalf (with their permission).  This means that if they're operating on behalf of one of your teachers, they'd be able to do all of the things that teacher can do: access their courses, create and delete content, message their students, access and change grades, etc. 

The way this works is that when one of your users accesses the the third-party app for the first time, the app redirects the user to Canvas and sends along their developer key. Canvas makes sure that the developer key is valid and that the user is logged in, and then displays a message like "<Application name> is requesting access to your account".  If the user grants this access, Canvas will redirect them back to the third-party app along with a token that the app can store and use to make Canvas API calls. 

Since having a developer key gives the third-party software such deep access to your Canvas instance, you'll want to have a solid relationship with the vendor (probably with a contract in place, FERPA agreement, data security review, etc.)  I'd ask them to explain what API calls they'll be making, and what data they will read and write in Canvas.  Your institution may already have practices for granting vendors access to sensitive, FERPA-protected data, and this definitely falls into that category.

Hope this is helpful - let me know if you have any questions!

--Colin