Canvas API Access Question (Higher Education)

Jump to solution
rcreadii
Community Member

SUMMARY

Hi everyone, to get access to a student’s canvas information through the Canvas API, does only the student need to grant access or do (a) the teachers or (b) the college/university as a whole need to as well?

Thank you so much !

 

FURTHER DETAILS

Hello everyone !

We’re using canvas to incorporate student information in our app (for example, a student’s class schedule, grades on assignments, or number of messages sent through canvas).

Each student can generate a canvas token so that a third-party app can access their canvas account, as I understand it. I’m hoping to ask: does only the student need to generate this token to grant access, or does (a) the professor/teacher running the class or (b) the college/university need to as well?

We’d really appreciate any help figuring this out. We’re new developers and it would really help us ! Thank you so much !

I hope you’re doing well and that you have a wonderful day !

0 Likes
1 Solution
DecoyLex
Community Participant

Hi @rcreadii 

If you're creating an app that is going to be in use by multiple users, you need to use the OAuth 2 authentication flow to obtain access tokens. Asking users to create a personal access token to use your app violates Instructure's API policy and will almost certainly result in your app being blocked by Canvas.

That said, generally, an access token only grants access to things that user would be able to see. Students can typically only see their own grades in a course, for example. Depending on the audience for your application (teachers, students, etc.), you'll need to evaluate what your application actually needs versus the permissions of the user you're performing actions as. This also comes with the--hopefully obvious--caveat: don't show people data they don't have permissions to see. Note that a user's permissions differ based on the institution's Canvas settings and based on their enrollments in a course (i.e., I can be a teacher in one course and a student in another), so assuming that all teachers can do something is going to cause you a lot of headaches *when* this assumption fails.

Another important thing to consider is that you will need to cultivate a relationship with the schools your users are at. Only a Canvas admin at that school can grant you the developer key to allow you to access their students' information. In the United States, this often means completing a VPAT and HECVAT for your application to demonstrate that you are following established accessibility, security, and privacy laws and norms and working with the institution to follow their review process. You may see information about inherited developer keys in Canvas. These allow you to have one set of configuration for all cloud-hosted Canvas instances, but each institution still manages whether these keys are active.

I hope this helps!

View solution in original post