Proper use of API access tokens
UW Canvas users can generate an individual token to programmatically access the API. These tokens provide the ability to interact with the API with the same permissions as the user has through the Canvas UI. Because many instructors or Canvas admins have broad access to confidential student data through the Canvas API, these access tokens should be handled securely. When using an API access token:
- Record the token in a secure manner
- Do not send it through email
- Do not provide your API access token to any other individual or a vendor
It is good practice to review access tokens at least annually, and expire or delete unused access tokens.
Use of API access tokens by Canvas admins
Because Canvas admins have broad access to and escalated privileges in the courses in their campus, college/school, or department, they have a heightened responsibility when using API access tokens, as the impact of any breach in security will be greater than for other users with more restricted access. The API access token of a Canvas admin provides access to the same course and student data through the API as the admin can view through the Canvas UI. Canvas admins should take the following measures with access tokens:
- Do not provide the API access token to any other individual or vendor
- Do not use your personal access token to configure an account-level integration
- Review your access tokens at least annually, and expire or delete unused tokens.
UW-IT will notify admins annually of the need to review and expire or delete access tokens.
Vendor requests for API access tokens
UW-IT strongly prefers that vendor applications use developer keys and oauth instead of accessing the API directly. Occasionally, a vendor integration with Canvas will require API access. In these circumstances, UW-IT requires a signed contract that includes a data security and privacy agreement before a access key will be issued. See the UW LMS Vendor Integration Program documentation for more details. In addition, UW-IT will require use of an application netID for the programmatic access to the API. Please send a request to email@example.com for consultation and assistance with your integration.