Canvas user API token policy

Summary

Writing up our policy on providing user API tokens

Body

The Academic Technology team maintains a strict policy against providing individual Canvas Application Programming Interface (API) user tokens to general users, faculty, or students.

What is a Canvas API token?

An API token is not a standard password. It is a credential that grants programmatic access to Canvas. The token allows other software or applications, including AI agentic agents, to read, write, and modify any data, enrollments, courses, and grades to which the associated user has access.

Why do we not issue API tokens?

Limiting the issuance of user tokens is a critical security and stability requirement for maintaining our LMS environment. These risks include:

  1. Data security: Granting API access increases the risk of a potential data breach. If an unmanaged or improperly secured application gains access, sensitive student and institutional data could be compromised. In addition, user tokens circumvent multi-factor authentication and university SSO authentication requirements. Anyone or anything with the token can act as the user to whom the token belongs.

  2. System instability: Improperly coded or potentially abusive tools such as AI agents can use the token to run extensive numbers of API calls and overload the Canvas system, leading to performance issues, lag, or even system-wide outages for all users. We must safeguard the system's stability.

  3. Compliance: Restricting access helps us comply with privacy regulations (such as FERPA) by ensuring only authorized, vetted systems can process educational records.

Who receives Canvas API tokens?

Canvas API tokens are reserved exclusively for official, pre-approved, and critical integrations that are necessary for campus operations. These typically include:

  • Vetted LTI Vendors: Third-party tools that have undergone a full security review and are required to integrate directly with Canvas data (eg. specific publisher content or advanced analytics platforms).

  • Central IT Services: Internal applications maintained by UM system dedicated IT staff for essential functions like Student Information System (SIS) integration.

Details

Details

Article ID: 2193
Created
Thu 3/19/26 10:03 AM
Modified
Thu 3/19/26 2:08 PM

Related Articles

Related Articles (1)

Canvas API Developer Key policy
Developer key policy: why we do not issue developer keys to individuals

Related Services / Offerings

Related Services / Offerings (1)

Canvas
Canvas is a cloud-hosted learning management platform that streamlines a collection of digital tools and content for a simpler and more connected learning experience.