Canvas user API token policy

Tags token api

The Academic Technology team maintains a policy against providing individual Canvas Application Programming Interface (API) user tokens. In rare cases, under certain circumstances and with approval, faculty or staff may be given access. Students will not be approved for tokens.

What is a Canvas API token?

An API token is a generated string of letters and numbers but it is not a standard password. It is a credential that is intended to grant programmatic access to Canvas. The token could allow software or applications, including AI agents, to read, write, and modify any data, enrollments, courses, and grades to which the associated user has access.

Why do we limit use of API tokens?

Limiting the issuance of user tokens is a critical security and stability requirement for maintaining our LMS environment. These risks include:

  1. Data security: Granting API access increases the risk of a potential data breach. If an unmanaged or improperly secured application gains access, sensitive student and institutional data could be compromised. In addition, user tokens circumvent multi-factor authentication and university SSO authentication requirements.

  2. Increasing risk from AI and third party services: Many AI tools and browser extensions now request Canvas API tokens to analyze coursework, generate summaries or feedback, automate downloads, grading insights, or submissions. These tools often are hosted externally, store tokens insecurely, have unclear data retention policies, are not contractually vetted by the institution. In effect, users are being asked to delegate full account access to unvetted third parties, creating unacceptable risk to student records and institutional systems. The downstream impact of a compromised token can exceed that of a stolen password, especially since MFA provides no protection. ChatGPT Education/Enterprise, Google Gemini, Notebook LM, and Copilot while using your University SSO to sign in are the only licensed, approved AI tools for DCL 3 (FERPA data). MU also has the use of Show-Me AI.

  3. User accountability: any actions taken using the token are the responsibility of the token holder.

  4. System instability: Improperly coded or potentially abusive tools such as AI agents can use the token to run extensive numbers of API calls and overload the Canvas system, leading to performance issues, lag, or even system-wide outages for all users. We must safeguard the system's stability.

  5. Compliance: Restricting access helps us comply with privacy regulations (such as FERPA) by ensuring only authorized, vetted systems can process educational records. It also helps us comply with Instructure's API policy. Instructure is the parent company of Canvas.

Clarification on API usage

API access is not prohibited, but must be:

  • Provisioned centrally with a managed lifecycle
  • Used for approved integrations only
  • Secured appropriately
  • In support of a legitimate and justified business or academic need

Most institutional needs can still be supported using:

  • Approved, third party LTI tools
  • Contractually reviewed third‑party services

If you have questions, you may submit an email to Academic Technology for support.

Canvas campus and vendor resources

Get Help Print Article

Related Articles (1)

Canvas API Developer Key policy
Developer key policy: why we do not issue developer keys to individuals

Related Services / Offerings (1)

Canvas
Canvas is a cloud-hosted learning management platform that streamlines a collection of digital tools and content for a simpler and more connected learning experience.