Hello. We have our course that our customers uses as external tool. Course files are hosted on our servers and are opened within iframe on Canvas. Our application identifies users using LTI (we can get course and student identifiers). We want to notify our application when student gets disabled on Canvas site. There is Canvas API available that I believe we can use for that:
The query returns list of all students as JSON and we can analyze "enrollment_state" field. The question we have is how to get authorization from our customers to run this query against their course enrollments. We are going to develop server-side worker that queries customers Canvas sites and determines disabled users. There are several approaches we see:
1. Ask customers to manually generate token and provide to us. But according to documentation it cannot be used for produciton and these keys are used only for development:
2. Ask customers to generate developer key:
Then we can use these keys for OAuth2 flow. But since we develop server-side worker this is not a suitable option.
3. Using JWT to generate access token:
But I'm not sure what Tool Provider mean and how we can register for that.
Can you help what way to choose? What should we do to query students' statuses for partner Canvas instances?