Following the Canvas security incidents in May 2026, we've rolled out our Credential Monitor to provide districts with greater visibility into the developer keys that exist in their Canvas instance.
Edlink is one of the largest third party integration partners for Canvas (for both API and LTI integrations) so we get to see the best (and worst) of what's out there from a security perspective.
To that end, we're embarking on a mission to improve the cybersecurity posture of schools and universities around the world, starting with something we know a lot about: Canvas API keys.
We're rolling out a new feature in Edlink called Credential Monitor that will provide institutions greater visibility into the developer keys that exist in their Canvas instance.
Although this particular incident did not involve a third party integration, integrations remain a major attack vector for school systems and we're acutely aware of how difficult they can be to track and monitor. Many district IT departments struggle to keep track of which integrations their schools use, and even fewer have a solid handle on what data those integrations have access to.
Hopefully, this tool will support a variety of different LMS & SIS systems in the future, but we had to start somewhere.
What the Credential Monitor Does
At a high level, the Credential Monitor:
- Allows you to quickly see all of the developer keys that exist in your Canvas instance.
- Identifies keys that have risky permission scopes or appear to be unused.
- Alerts you when keys are created, updated, or deleted.
The last point in particular is critical for districts. As of right now, if a malicious actor was to get ahold of an unscoped Canvas access token (with the correct permissions), they could create any number of new developer keys (or even modify existing ones) to exfiltrate data or conduct phishing attacks against teaachers and students.
This tool helps limit your exposure in a few ways:
- It helps you clear out old or unused keys.
- It alerts you to new keys that are created (which could be an indication of a breach).
- It suggests ways to tighten up permission scopes on existing keys.
What the Credential Monitor Cannot Do
As of right now, there are a few things that this tool cannot do (primarily due to limitations in the Canvas API).
- It cannot tell you what data has been accessed by a particular tool, or when.
- It cannot tell you who created or updated a particular API key.
- It cannot tell you what scopes are or are not required by a particular third party application.
Please be careful when limiting scopes as it may have unexpected effects on your third party integrations. It's probably worth a chat with the vendor first!
It may be possible for us to add functionality to tell you which Canvas users have accessed which third-party tools, but this is not available yet (it's something we're still exploring)
Why Start With Canvas?
This new tool isn't an indictment against Canvas. We chose Canvas for a two reasons:
- Canvas has a large market share, which means this tool will be valuable to many institutions, right away.
- Canvas has one of the best developer APIs available in the LMS space.
Number two is both a blessing and a curse. While it allows for robust integration capabilities, it also makes it easier for bad actors to exploit vulnerabilities and introduces a larger risk surface than a locked-down API. Despite the risk, we believe this is the correct long-term strategy for Instructure to take and it's our position that we should focus on risk mitigation instead.
We Want Your Feedback!
We plan to roll this tool out to other LMS & SIS providers in the future. If you want a tool like this for your school's system, don't hesitate to reach out to us and let us know!.
Also, we're sure you have plenty of ideas that we've never considered. We'd love to hear them!