Hi everyone,

We’re integrating a self-hosted Canvas back-office with a frontend that fetches data via the API. While developing the authentication system, we encountered an issue with user roles.

Our assumption was that each user would have a single, clearly defined role (e.g., Student or Teacher). However, we’ve noticed that a user can be assigned to multiple courses with different roles—meaning the same account can be a Student in one course and a Teacher in another.

This creates a challenge when handling login authentication because the API doesn’t seem to return a definitive role for the user. Instead, roles seem to be course-specific.

API: POST /login/oauth2/token
Doc: https://canvas.instructure.com/doc/api/file.oauth_endpoints.html#post-login-oauth2-token

Is this the expected behavior?

If so, how do you typically determine a user’s primary role within Canvas? Any best practices or API endpoints we should look into?

Thanks in advance for any insights!