How do I add a developer API key for an account?
As an admin, you can create developer API keys for root accounts. A developer API key is a code given to the developer of a third-party application that allows access to certain information and permissions within Canvas. Developer API keys can be used to create custom integrations with Canvas and allow third-party apps to use Canvas authentication. The developer API key uses OAuth2 to enable the application to use Canvas for authentication. For more information about OAuth2, see the Instructure API OAuth documentation.
The developer API key is sent from the application to Canvas when a user requests access. The application asks the user for permission to programmatically create an API access token. When the user authorizes the application, the third-party application will have the same access to information and account permissions as the user that granted access. For more information about developer documents, see the Instructure Github page.
Key Scoping
Developer API Keys includes functionality for key scoping as part of adding a developer API key. Key scoping allows you to control direct access to specific API endpoints for third-party tools.
Note: Developer Keys is an account permission. If you cannot view the Developer Keys link in Account Navigation, this permission has not been enabled for your user account.
Open Account
In Global Navigation, click the Admin link [1], then click the name of the account [2].
Open Developer Keys
In Account Navigation, click the Developer Keys link.
Add Developer Key
Click the Add Developer Key button.
Add API Key
Click the Add API Key option.
Enter Key Settings
Enter the settings for the developer API key:
- Key Name [1]: Usually your app or company name. This field will be shown when users are asked to approve access to their Canvas account on your behalf.
- Owner Email [2]: The email of the person who owns the developer tool.
- Redirect URIs [3]: The domains where tokens are requested. These URIs are not your Canvas URL. To avoid mixed content browser concerns, use https.
- Redirect URI (Legacy) [4]: The URI for the key redirect. This field allows you to set the previous URI for a tool. Eventually this field will be removed.
- Vendor Code (LTI 2) [5]: A unique registered code which identifies the vendor or developer of the third-party tool. This is specifically for LTI 2 tools and apps.
- Icon URL [6]: The URL of the icon for your developer tool. This URL is presented to the user to approve authorization for your tool. To avoid mixed content browser concerns, use https.
- Notes [7]: Any notes about the developer key, such as the reason it was created.
- Test Cluster Only [8]: Creates a developer key that can only be used in the Canvas test environment.
- Enforce Scopes [9]: Allows you to customize access for the key. Otherwise, the key will have access to all endpoints available to the authorizing user.
Save Key
Click the Save button.