UW Canvas users can generate an individual token to programmatically access the API. These tokens provide the ability to interact with the API with the same permissions as the user has through the Canvas UI. Because many instructors or Canvas admins have broad access to confidential student data through the Canvas API, these access tokens should be handled securely. When using an API access token:
It is good practice to review access tokens at least annually, and expire or delete unused access tokens.
Because Canvas admins have broad access to and escalated privileges in the courses in their campus, college/school, or department, they have a heightened responsibility when using API access tokens, as the impact of any breach in security will be greater than for other users with more restricted access. The API access token of a Canvas admin provides access to the same course and student data through the API as the admin can view through the Canvas UI. Canvas admins should take the following measures with access tokens:
UW-IT will notify admins annually of the need to review and expire or delete access tokens.
UW-IT strongly prefers that vendor applications use developer keys and oauth instead of accessing the API directly. Occasionally, a vendor integration with Canvas will require API access. In these circumstances, UW-IT requires a signed contract that includes a data security and privacy agreement before a access key will be issued. See the UW LMS Vendor Integration Program documentation for more details. In addition, UW-IT will require use of an application netID for the programmatic access to the API. Please send a request to help@uw.edu for consultation and assistance with your integration.