AnsweredAssumed Answered

Does an LTI access token give access to full Canvas REST API?

Question asked by Ryan Leonard on Mar 25, 2020
Latest reply on Mar 25, 2020 by James Jones

I am interested in building an internal reporting tool that looks at several various Canvas-specific properties about a course, e.g. existence of 'Pages' in Canvas. I believe this type of information can be gathered from the Canvas Data Portal, or the Canvas REST API (or Graphql).

I am interested in using the OAuth client_credential flow to authorize my reporting tool to access Canvas REST API. Is this possible? It seems that the client_credential flow is tightly coupled with LTI tools... If I go through the process of getting an access token as an LTI, will that access token be able to access non-LTI Canvas REST APIs?

 

Another solution would be to provide a manually created Access Token to my application, effectively treating it as an API key, per this related Canvas Community discussion. I don't like this solution in that I lose the benefit of the bearer token being rotated every hour.

My plan right now is to use the OAuth auth code flow with a special 'non-user account' that will only be given access to the endpoints it needs (I'm actually not familiar with how a user's access to API endpoints is managed in Canvas, but I will work with my university's Canvas Administrators to help me with that part). I want to still get the benefits of a short-lived, often rotated bearer token. This solution means that I will have to store the user credentials and the developer key on my server... ce la vie.

Outcomes