AnsweredAssumed Answered

Asking users to generate an access token

Question asked by Raymond G on Oct 18, 2018
Latest reply on Oct 23, 2018 by James Jones

Is it acceptable to ask users to generate a Canvas access token and enter it into an application? I'm not asking if it is ideal (over using OAuth2 to request tokens,) but rather if it is "legal" and allowed within Canvas's terms of service.


I was under the impression that it is not permitted by Instructure/Canvas to ask users to enter their access tokens into an application. In fact in the Canvas OAuth documentation it states the following.

For testing your application before you've implemented OAuth, the simplest option is to generate an access token on your user's profile page. Note that asking any other user to manually generate a token and enter it into your application is a violation of Canvas' terms of service. Applications in use by multiple users **MUST* use OAuth to obtain tokens*.

What has me asking this question then, is that I recently came across some of James Jones's work (I'm a big fan, James!) and in his tools he asks users to generate and provide access tokens to use his tools. His work has even been promoted by Instructure/Canvas and featured on CanvasLive showing his due date changing Google Doc spreadsheet, during which they show users how to generate an access token and then enter it into his Google Docs spreadsheet. All of this has left me a bit confused on what is permitted and what is not around this topic.


I have written a few LTI integrations now and have become familiar with the OAuth2 flow to request access tokens. If I am able to legally bypass that for smaller-scale applications/integrations it would certainly change my approach. Up to this point I thought it was illegal for me to request users enter an access token, but it seems to be a somewhat accepted practice.


Thank you,