There have to be a million ways that Canvas can be extended, enhanced, or integrated to improve workflows and the value that schools get from the LMS. But Instructure (the company behind Canvas) can't do it all. There are only so many software developers and only so many features that can be added before things slow down and start to become confusing.

The solution: Canvas allows schools, as well as external partners, to develop features on top of the Canvas platform to achieve their goals. One of the ways Canvas allows this, is through API Integrations.

What Kind of Features Are We Talking About?

The full list of everything that can be communicated back and forth is located on Canvas’s developer website. But to keep it simple, developers can write code that talks to Canvas to serve a variety of different functions:

  • Managing user accounts (e.g. creating a new student)
  • Running Canvas reports and downloading aggregate analytics
  • Creating or retrieving announcements
  • Managing student assignments or quizzes
  • Syncing student grades
  • Retrieving student submissions (e.g. to make a portfolio)

...and literally dozens more.

So How Do Developer Keys Factor In?

All of this power comes with responsibility. Not anyone should be able to create and delete grades in Canvas. So what's preventing any random stranger from messing with a school's Canvas account?

Canvas developer keys.

Every time an outside application wants to make a change in Canvas, the app will send along some variation of the keys (glossing over the technical bits) to prove that the app is who they say they are. If Canvas doesn't see the correct keys, then the request is denied.

If you're looking for a guide on how to create these keys, please check out our other post here.

Keeping Keys Safe

Since developer keys are like a secret password, they are extremely sensitive and great care should be taken to keep them a secret. The only people who should know the keys are the school technology admins and the third-party application provider (like Edlink).

Here's what school admins need to do to keep them safe:

  • Do not share the Canvas admin credentials with anyone for any reason.
  • Make sure that partners always store Canvas developer keys in a fully encrypted format.
  • Do NOT share keys via email, or any other unsecured format. The application provider should have some sort of secure form or configuration process that handles your keys.
  • Do not enter keys into any other web form such as a Google Form.

If a school admin isn’t sure how to share keys, the admin should use an app specifically for this purpose (like Keybase). If school admins believe that keys may have become compromised, delete them immediately, and issue the developer new ones.

Are The Keys Guessable?

"But aren’t the keys just random numbers and letters? Couldn't somebody guess them? Is that safe?" you might ask. The answer is a definitive yes - with a catch: the keys are extremely secure as long as proper procedures are taken to protect them as described above.

Just how safe are they? Canvas uses a sequence of 64 random letters and numbers. If you had a computer guess a billion, billion, billion times per second, it would not even come close to guessing the secret key, even over the 13 billion years that the universe has existed.

(It wouldn't even have made a dent!)

Read More on Canvas Integrations?

Here are other articles we’ve written on Canvas to help you on your journey:

If you're looking for a partner who can help guide you through developing Canvas integrations (like these), then let’s introduce ourselves. We’re Edlink!