Canvas API Access Tokens

The manual Canvas API access token service was decommissioned on April 2, 2024. New tokens and token renewals will need to be requested as described below.

Access Token Security

Canvas API access tokens are basically equivalent to your username and password for Canvas. Any individual or application that has your user token will have full access to your Canvas data including course materials, assignments, and grades, just as they would if you shared your Cornell NetID credentials. You should not provide your API access token to any individual, vendor, application, or bot.

If you have shared your API access token with a third-party, you must delete or regenerate the token immediately.

Security risks of sharing your API access token with a third party include:

  • Intellectual Property: Any work you have stored in Canvas or any work you have access to in Canvas (for instructors and TAs, this could include student work; for students, this includes lectures and course materials shared by your instructor) can be accessed by the third party. They can then use this work without the permissions of the owners in money-generating and other pursuits.
  • FERPA Protected Data: For students, allowing the third-party access to Canvas could mean revealing FERPA (Family Educational Rights and Privacy Act) protected data of other students, including course enrollment, discussion posts, grades (from group assignments), and more. For instructors, allowing access to a third-party tool would be an even greater breach of FERPA protected data, as you would allow it full access to student work, grades, and more.

Safely Testing the Canvas API

If you are interested in utilizing the Canvas API, we recommend reviewing the Canvas LMS API Documentation. Once you are ready to explore implementation, we recommend you create an account in Canvas’ free instance. This will allow you to create a course devoid of student work and data where you can safely practice using the API.

Request an Access Token

Fill out this form to request an API access token at Cornell. Student requests for access tokens require the sponsorship of a faculty member who understands the student’s intended use of the Canvas API. You can also request a token using the steps below.

  1. Log into Cornell’s Canvas instance.
  2. In the Global Navigation menu on the left, go to Account and select Settings.
  3. Scroll down and click the + New Access Token button.
  4. Fill out the questions on the form, clearly describing your need for an API access token and intended use.

Once requests are reviewed, new tokens will be generated by a Canvas account administrator, users will be notified and provided information regarding refreshing their access token. We expect requests to be processed within five (5) business days from when they are received.

Creative Commons License

Cornell Center for Teaching Innovation - Resource Library by The CTI Staff is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License