Community Help

molshausen · ‎12-12-2024

Earlier this year, my boss turned on the option to block non-admin users from generating access tokens. Recently, we've looking through the list of user-generated access tokens associated with student accounts and exploring how and whether to delete them. My first question is, what are some possible uses for those tokens, legitimate or otherwise? The tokens I've generated myself have generally been for the purpose of API calls.

Secondly, I'm looking for tips on how to delete 90-odd access tokens at once. I see that the API only permits me to delete them one by one, so I assume I would have to develop some sort of script for this.

Thanks!

stimme · ‎12-16-2024

If you have the user ID and token ID for the access tokens to delete, you can write a script to loop through and delete them with the access token deletion endpoint (https://canvas.instructure.com/doc/api/access_tokens.html#method.tokens.destroy). For these simple lists, I like a BASH approach. Here's a sample.

#!/bin/bash
# This script is fairly simple. Edit the variables to set the server,
# log file name, and feed file name (add paths as needed).
# The feed file should just be plain text with the numerical Canvas 
# user ID and the numerical token ID on each line.
# Environmental variables are often where the script user's API token 
# is stored. Edit the variable name in the curl line or uncomment the 
# canvasAPItoken variable below and paste in your admin API token.

# VARIABLES - Adjust values and save file as.
canvas_domain="institution.beta.instructure.com" #It is always a good idea to test again Beta first.
log_file="user_token_deletion_log.txt"
feed_file="user_token_deletion_feed.txt"
#canvasAPItoken=""

# Loop through lines in feed file. Append to log file.
while read user_id token_id
do
echo "$user_id $token_id"
response=$(curl -s -S "https://$canvas_domain/api/v1/users/$user_id/tokens/$token_id" -X DELETE -H "Authorization: Bearer $canvasAPItoken")

echo "$(date +'%H:%M:%S') $user_id $token_id $response" >> $log_file

done < $feed_file

View solution in original post

NoahBoswell · ‎12-15-2024

Hi @molshausen ,

Thanks for posting on the Instructure Community!

While I cannot provide tips on creating scripts for deleting 90 access tokens all at once, I can provide some advice for your first question. When it comes to the use of access tokens, I usually see them used for things such as allowing users to access external apps, and other things by Canvas.

For example, at my high school, there are access tokens set-up for apps such as Kami, Google LTI, Canvas for iOS and even to the Canvas Training Portal. We also have additional ones for Office 365, as well as Canvas Commons.

Access tokens are usually very private and sensitive information, so you'll want to ensure that before deleting anything, you don't need any of the information that it has, as once the token is gone... it's likely going to be gone gone and you will not be able to retrieve any information off of it.

I hope this helps a little bit! Reach out with any additional questions.

Best,
Noah

molshausen · ‎12-16-2024

Thanks, Noah. To clarify, I'm talking about tokens that the user has generated manually, not ones that have clear associations with external apps. We are exploring deleting the former for security reasons.

stimme · ‎12-16-2024

If you have the user ID and token ID for the access tokens to delete, you can write a script to loop through and delete them with the access token deletion endpoint (https://canvas.instructure.com/doc/api/access_tokens.html#method.tokens.destroy). For these simple lists, I like a BASH approach. Here's a sample.

#!/bin/bash
# This script is fairly simple. Edit the variables to set the server,
# log file name, and feed file name (add paths as needed).
# The feed file should just be plain text with the numerical Canvas 
# user ID and the numerical token ID on each line.
# Environmental variables are often where the script user's API token 
# is stored. Edit the variable name in the curl line or uncomment the 
# canvasAPItoken variable below and paste in your admin API token.

# VARIABLES - Adjust values and save file as.
canvas_domain="institution.beta.instructure.com" #It is always a good idea to test again Beta first.
log_file="user_token_deletion_log.txt"
feed_file="user_token_deletion_feed.txt"
#canvasAPItoken=""

# Loop through lines in feed file. Append to log file.
while read user_id token_id
do
echo "$user_id $token_id"
response=$(curl -s -S "https://$canvas_domain/api/v1/users/$user_id/tokens/$token_id" -X DELETE -H "Authorization: Bearer $canvasAPItoken")

echo "$(date +'%H:%M:%S') $user_id $token_id $response" >> $log_file

done < $feed_file

molshausen · ‎12-31-2024

Hello stimme, could you point me toward a tutorial or two on how to execute a script along these lines? I'm not sure where to start regarding how to communicate with Canvas.

stimme · ‎01-03-2025

@molshausen Can I ask how you typically make API calls?

molshausen · ‎01-03-2025

I have mostly done Live API calls. I have minimal experience using Postman.

stimme · ‎01-07-2025

Hi @molshausen ! Thanks for letting me know how you're using API calls now. I don't have Postman experience, so I cannot speak to its potential for looping/scripting calls.

When I started making API calls, I was learning to use my OS Terminal (I'm a Mac user) and to read and write shell scripts, especially BASH (Bourne Again Shell) scripts for other reasons. That's what I focused on, and it is where I start when I'm working with a new endpoint. If you're interested in understanding unix/linux terminal commands more broadly, then this might be a good place to dig in. There are videos on YouTube, blogs, websites, LIL videos, etc. about learning BASH commands. The curl command is essential for API calls. The loop options (while and for) and key for scripting a batch of calls.

Another coding environment that has a lot of adoption is Python. One thing that could be appealing in Python is the canvasapi library. There are lots of places to learn Python, too.

If you do not anticipate regularly scripting API calls, then familiarizing yourself with BASH or Python will probably be overkill. Just using the Live API to delete API tokens would take much less time than learning these coding languages.

molshausen · ‎01-13-2025

Thanks for the advice, @stimme. I've learned some basic Python, but yes, I would only be doing some occasional scripting in this job, so an API-centric solution sounds better.

molshausen · ‎12-17-2024

Thank you, Stimme, I'll give this a shot.

Deleting user-generated access tokens

Admin

Find user with API Token

THE INFORMATION ON MY COURSE PAGES IS NO LONGER VI...

Course calendar showing events over two iterations...

In "New Quizzes" the buttons "Back" and "Submit" a...

Accessing New Quizzes Reports Not Working

Find user with API Token

THE INFORMATION ON MY COURSE PAGES IS NO LONGER VI...

Turn it in link

Admin Account

Course calendar showing events over two iterations...

You're signed out

Deleting user-generated access tokens

Community Help

View our top guides and resources: