Suppose you use Canvas at your school district or university, and you really want a cool new reporting feature so you can visualize student growth over time. What do you do?

Suppose you are an app developer who works on a nifty school planner and you want upcoming assignments and quizzes from Canvas to appear in your app. What do you do?

I bet you can think of a million ways that Canvas can be extended, enhanced, or integrated to improve your workflow and the value that you're getting from the platform. But Instructure (the company behind Canvas) can't do it all - there are only so many software developers and only so many gizmos they can add before things slow down and start to become confusing.

The solution: Canvas allows their school districts as well as external partners to develop features on top of the Canvas platform to achieve their own goals. There are many ways to integrate with Canvas, but the one we'll stick to in this article is called API Integration.

The rest of this article is dedicated to explaining the concepts behind Canvas API integration and Canvas developer keys. If you're looking for a guide on how to create these keys, please check out our other post here.

What in the World is API Integration?

To put it simply: an API is a set of rules that two applications use to communicate. Think of it as a common language or format that they can use to understand each other. In the real world, we all have to agree on how to properly format street addresses or dates. If you were to move to another country where they have agreed on a different format for these things, you'd probably get lost or show up at the wrong time.

The same is true for computers. If they send information in the wrong format, it will be misinterpreted by the other system. So it's very important that software developers agree on the format of communication.

Once everyone agrees on how two platforms will communicate, we can move onto what information the two platforms will communicate. In the case of Canvas, their API has tons of features so a lot can be communicated.

What Kind of Features Are We Talking About?

The full list of everything that can be communicated back and forth is located here on Canvas' developer website. But to keep it simple for the reader, you can write code that talks to Canvas to serve a variety of different functions:

  • Managing user accounts (e.g. creating a new student)
  • Running Canvas reports & downloading aggregate analytics
  • Creating or retrieving announcements
  • Managing student assignments or quizzes
  • Syncing student grades
  • Retrieving student submissions (e.g. to make a portfolio)

...and literally dozens more.

So How Do Developer Keys Factor In?

All of this power comes with responsibility. Not just anyone should be able to create and delete grades in Canvas. So what's preventing any random stranger from messing with your school's Canvas account?

Canvas developer keys.

Developer keys are the method that Canvas uses to identify the person or application who is trying to make changes to the platform. They are kind of like a "secret password" that only Canvas and the other application know.

Every time an outside application wants to make a change in Canvas, they will send along some variation of the keys (glossing over the technical bits) to prove that they are who they say they are. If Canvas doesn't see the correct keys, then the request is denied.

Keeping Keys Safe

Since developer keys are like a secret password, it means are extremely sensitive and great care should be taken to keep them a secret. The only people who should know your keys are the school technology admins and the third-party application provider (like Edlink).

Here's what you need to do to keep them safe:

  • Do not share your Canvas admin credentials with anyone for any reason.
  • Make sure that your partners always store Canvas developer keys in a fully encrypted format.
  • Do NOT share keys via email, or any other unsecured format. The application provider should have some sort of secure form or configuration process that handles your keys.
  • Do not enter keys into any other web form such as a Google Form.

If you're not sure how to share keys, you should use an app specifically for this purpose (try out Keybase). If for any reason you believe that keys may have become compromised, delete them immediately, and issue the developer new ones.

Are The Keys Guessable?

"But the keys are just random numbers and letters? Couldn't somebody guess them? Is that safe?" you might ask. The answer is a definitive yes - with a catch: the keys are extremely secure as long as proper procedures are taken to protect them as described above.

Just how safe are they? Canvas uses a sequence of 64 random letters and numbers. This results in approximately 5.16 * 10^114 combinations (that's 5 with 114 zeros at the end). If you had a computer guess a billion, billion, billion times per second, it would not even come close to guessing the secret key, even over the 13 billion years that the universe has existed.

It wouldn't even have made a dent.

Bringing It All Together

Hopefully you have a solid understanding of what Canvas developer keys are and how they can be used to build cool new features on top of Canvas. If you're ready to get started generating some keys, check out of our guide on how to do so.

If you're a software developer trying to navigate the world of LMS integration, don't hesitate to reach out. Edlink can help you build a seamless integration into Canvas, as well as many other popular learning management systems.

You can learn more at our website, get in touch, or if you're ready to dive into the technical bits, check out our developer documentation.