We're a content publisher and we've recently run into a couple of schools where the need to go to the Developer Keys area in Canvas to implement LTI 1.3 has raised red flags about what information they're exposing to vendors.
My guess is that the LTI Key lives with the Developer Keys because that's where the OAuth2 authentication lives, but it's not really a Developer Key in the traditional sense. Is there an official document that explains this? If not, can someone make one? It would help remove a roadblock to vendors integrating with Canvas.