Quick Overview of Developer Keys

API developer keys are generally used by Canvas developers and school admins to create internal features. However, they can also be used to integrate applications from edtech vendors with a school's Canvas environment.

Developer keys are powerful tools that allow external applications to perform functions in Canvas on behalf of an authenticated user (more about that here). Some key functions include:

  • Creating new users
  • Creating new assignments or resources
  • Modifying grades, and
  • Reading course rosters

Canvas provides documentation that explains what exactly the API is able to do.

Sometimes third-party platforms require a school's Canvas admin to generate developer keys. Once generated, the integration can be set up between the platform and the school's Canvas environment.

Setting Up Developer Keys in Canvas

Below is a step-by-step guide for Canvas admins to generate developer keys. Developers should know that educational institutions often run varying versions of Canvas. So some of the steps below may appear differently in a Canvas admin’s environment.

General Rules for Context:

  • A user must be a Canvas administrator to create developer keys.
  • A user will only see the Admin menu and developer key options if they are an administrator.
  • Institutional staff should contact their IT department for a Canvas admin to create the developer keys.

Step 1: Log into the Canvas account.

Step 2: Select “Admin” from the global navigation sidebar and choose the account (i.e. campus) to connect.

If a user does not see the Admin option, then they are not an admin of the school's Canvas environment.

Step 3: Select "Developer Keys" in the admin navigation menu.

Step 4: Select "+ Developer Key".

Step 5: Choose "+ API Key".

Canvas allows admins to create 2 types of developer keys: API keys and LTI keys. API keys allow external applications to act on behalf of an authenticated Canvas user. LTI keys are used to access LTI tools, which standardized externally-hosted tools that users in Canvas can access through an LTI link.

For the purposes of this article, we’ll discuss the API Key.

Step 6: Enter the following into the provided fields and select "Save" when completed:

The key settings below are used to create API developer keys in Canvas. Below are descriptions of what each field represents:

  • Key Name - The name to be used to assign the key. Typically, this would be the name of the application which expecting to integrate. This name will appear when a user authorizes the external application to access their Canvas account.
  • Owner Email - This field is designed to help the admin keep note of the person or company they are sharing the key with. Typically, it will be the email of the account manager or integration specialist. This does not affect who can access the key.
  • Redirect URIs - The location that Canvas will send users once the app has been successfully authorized. If more than one is specified, then the developer can choose where the user gets redirected (as long as it's on the list).
  • Redirect URI (Legacy) - This field can be safely ignored. It has been deprecated.
  • Vendor Code (LTI 2) - This field can be left blank. It was part of the now deprecated LTI v2.0 specification.
  • Icon URL - A link to an image that represents the application to integrate with.
  • Notes - Additional comments that the admin feels are necessary for record-keeping. Entered notes do not affect the key.

The admin can also enforce scopes when creating the developer key. These scopes restrict what an external app can access. If Enforce Scopes is selected, the admin must manually select which endpoints the application can access. It will not have access to any other endpoints.

Please be careful when selecting scopes. Canvas offers hundreds of features; selecting the wrong features might grant an inappropriate level of access or prevent the application from having the access it actually needs.

Step 7: Switch the State to ON next to the developer key.

To enable the developer key, the State must be turned ON. If the State is OFF, the developer key will not work. Note that when the key is created, the default state is OFF.

Once the key is created, the admin will need to use the Developer Key ID and Developer Key Secret to enable the integration. The Developer Key ID is the number located underneath the Details column. Select Show Key to obtain the Developer Key Secret.

The Developer Key ID and Secret are used in tandem by an external application to access to the admin’s Canvas environment.

Step 8: Keep keys secure.

These keys are very powerful and can expose very sensitive information. Admins must not share these keys with anyone except for a trusted partner.

If an admin believes the keys have been comprised, they must immediately delete the key. Admins can delete the key by selecting the trash icon next to the developer key, underneath the Actions column. The admin must then recreate a key to generate a new Developer Key ID and Secret.

Step 9: Share your keys securely, and only when necessary.

When admins are working with external vendors to integrate the Canvas environment with an application, the admin will need to provide the vendor with the Developer Key ID and Secret in a secure manner.

Admins can securely share the keys using private web forms secured with HTTPS. These web forms must be provided by the vendor and go directly to their servers.

Do not use web forms generated by outside parties, such as Google Forms. Also, do not share key IDs and secrets over email.

Below is an example of the secure web form that Edlink provides Canvas administrators (note the secure connection).

Key-sharing tools, such as Keybase, can also be used to securely share keys. Note that admins will have to download these tools in order to use them properly.

Read More on Canvas

Here are other articles we’ve written on Canvas to help you on your integration journey:

If you're looking for a partner who can help guide you through developing LMS integrations (like these), then let’s introduce ourselves. We’re Edlink!