Body
This article explains why our Academic Technology team maintains a strict policy against providing individual Canvas Application Programming Interface (API) Developer Keys to general users, faculty, or students.
What is a Canvas API Key?
An API Developer Key is not a standard password. It is a powerful administrative credential that grants deep, programmatic access to the Canvas system. This key allows other software or applications to read, write, and modify user data, enrollments, courses, and grades on a massive scale.
Why we do not issue API Keys
Limiting the issuance of Developer Keys is a critical security and stability requirement for maintaining our LMS environment. These risks include:
-
Data security: Granting broad API access increases the risk of a potential data breach. If an unmanaged or improperly secured application gains access, sensitive student and institutional data could be compromised.
-
System instability: Improperly coded or inefficient API calls can overload the Canvas system, leading to performance issues, lag, or even system-wide outages for all users. We must safeguard the system's stability.
-
Compliance: Restricting access helps us comply with privacy regulations (such as FERPA) by ensuring only authorized, vetted systems can process educational records.
-
Scope: A developer key allows access to the entire Canvas instance, including all four campuses. This is not allowed.
Who receives Canvas API Keys?
Canvas API Developer Keys are reserved exclusively for official, pre-approved, and critical integrations that are necessary for campus operations. These typically include:
-
Vetted LTI Vendors: Third-party tools (like specific publisher content or advanced analytics platforms) that have undergone a full security review and are required to integrate directly with Canvas data.
-
Central IT Services: Internal applications maintained by our dedicated IT staff for essential functions like Student Information System (SIS) integration.