Sign InGet Started
Search
⌘K
Get Started Platform Dashboard Developer Guides API Reference UI Widgets SDKs Providers
Legal Flow Changelog Roadmap
For Schools

Canvas API Credential Monitoring for Districts & Universities

Dakota Gordon
By Dakota Gordon
Last Updated May 20th, 2026
Report an Issue

Following the Canvas security incidents in May 2026, we're rolling out our Credential Monitor tool to provide institutions with greater visibility into the developer keys that exist in their Canvas instance. Edlink is one of the largest third party integration partners for Canvas (for both API and LTI integrations) so we get to see the best (and worst) of what's out there from a security perspective.

To that end, we're embarking on a mission to improve the cybersecurity posture of schools and universities around the world, starting with something we know a lot about: Canvas API keys.

We're rolling out a new feature in Edlink called Credential Monitor that will provide institutions greater visibility into the developer keys that exist in their Canvas instance.

Although this particular incident did not involve a third party integration, integrations remain a major attack vector for school systems and we're acutely aware of how difficult they can be to track and monitor. Many district IT departments struggle to keep track of which integrations their schools use, and even fewer have a solid handle on what data those integrations have access to.

Hopefully, this tool will support a variety of different LMS & SIS systems in the future, but we had to start somewhere.

What the Credential Monitor Does

At a high level, the Credential Monitor:

  1. Allows you to quickly see all of the developer keys that exist in your Canvas instance.
  2. Identifies keys that have risky permission scopes or appear to be unused.
  3. Alerts you when keys are created, updated, or deleted.

The last point in particular is critical for districts. As of right now, if a malicious actor was to get ahold of an unscoped Canvas access token (with the correct permissions), they could create any number of new developer keys (or even modify existing ones) to exfiltrate data or conduct phishing attacks against teachers and students.

This tool helps limit your exposure in a few ways:

  1. It helps you clear out old or unused keys.
  2. It alerts you to new keys that are created (which could be an indication of a breach).
  3. It suggests ways to tighten up permission scopes on existing keys.

How to Get Started

To get started with the Credential Monitor, simply log into your Edlink dashboard and navigate to the "Credential Monitor" in the navigation. You will be prompted to set up a new integration between the Credential Monitor and your Canvas instance (which uses the Edlink administrator onboarding flow). Alternatively, you can get started by visiting the onboarding flow directly.

After getting connected, you can view all of the developer keys that exist in your Canvas instance, along with information about when they were created, when they were last used, and what permissions they have.

Additionally, you can receive email alerts whenever a new key is created, updated, or deleted in your Canvas instance. This can be a critical early warning sign of a potential breach, so we highly recommend setting up these alerts as soon as possible.

If you need help, please don't hesitate to reach out to our support team at support@ed.link or via our live chat.