Hi @rcreadii 

If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.

That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.

Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.

I hope this helps!