Sign InGet Started
Search
⌘K
Get Started Platform Dashboard Developer Guides API Reference UI Widgets SDKs Providers
Legal Flow Changelog Roadmap
For Schools

Credential Monitor

Dakota Gordon
By Dakota Gordon
Last Updated May 18th, 2026
Report an Issue

Following the Canvas security incidents in May 2026, we've rolled out our Credential Monitor to provide districts with greater visibility into the developer keys that exist in their Canvas instance.

Edlink is one of the largest third party integration partners for Canvas (for both API and LTI integrations) so we get to see the best (and worst) of what's out there from a security perspective.

To that end, we're embarking on a mission to improve the cybersecurity posture of schools and universities around the world, starting with something we know a lot about: Canvas API keys.

We're rolling out a new feature in Edlink called Credential Monitor that will provide institutions greater visibility into the developer keys that exist in their Canvas instance.

Although this particular incident did not involve a third party integration, integrations remain a major attack vector for school systems and we're acutely aware of how difficult they can be to track and monitor. Many district IT departments struggle to keep track of which integrations their schools use, and even fewer have a solid handle on what data those integrations have access to.

Hopefully, this tool will support a variety of different LMS & SIS systems in the future, but we had to start somewhere.

What the Credential Monitor Does

At a high level, the Credential Monitor:

  1. Allows you to quickly see all of the developer keys that exist in your Canvas instance.
  2. Identifies keys that have risky permission scopes or appear to be unused.
  3. Alerts you when keys are created, updated, or deleted.

The last point in particular is critical for districts. As of right now, if a malicious actor was to get ahold of an unscoped Canvas access token (with the correct permissions), they could create any number of new developer keys (or even modify existing ones) to exfiltrate data or conduct phishing attacks against teachers and students.

This tool helps limit your exposure in a few ways:

  1. It helps you clear out old or unused keys.
  2. It alerts you to new keys that are created (which could be an indication of a breach).
  3. It suggests ways to tighten up permission scopes on existing keys.

What the Credential Monitor Cannot Do

As of right now, there are a few things that this tool cannot do (primarily due to limitations in the Canvas API).

  1. It cannot tell you what data has been accessed by a particular tool, or when.
  2. It cannot tell you who created or updated a particular API key.
  3. It cannot tell you what scopes are or are not required by a particular third party application.

Please be careful when limiting scopes as it may have unexpected effects on your third party integrations. It's probably worth a chat with the vendor first!

It may be possible for us to add functionality to tell you which Canvas users have accessed which third-party tools, but this is not available yet (it's something we're still exploring).

How to Get Started

To get started with the Credential Monitor, simply log into your Edlink dashboard and navigate to the "Credential Monitor" in the navigation. You will be prompted to set up a new integration between the Credential Monitor and your Canvas instance (which uses the Edlink administrator onboarding flow). Alternatively, you can get started by visiting the onboarding flow directly.

After getting connected, you can view all of the developer keys that exist in your Canvas instance, along with information about when they were created, when they were last used, and what permissions they have.

Additionally, you can receive email alerts whenever a new key is created, updated, or deleted in your Canvas instance. This can be a critical early warning sign of a potential breach, so we highly recommend setting up these alerts as soon as possible.

If you need help, please don't hesitate to reach out to our support team at support@ed.link or via our live chat.

Why Start With Canvas?

This new tool isn't an indictment against Canvas. We chose Canvas for a two reasons:

  1. Canvas has a large market share, which means this tool will be valuable to many institutions, right away.
  2. Canvas has one of the best developer APIs available in the LMS space.

Number two is both a blessing and a curse. While it allows for robust integration capabilities, it also makes it easier for bad actors to exploit vulnerabilities and introduces a larger risk surface than a locked-down API. Despite the risk, we believe this is the correct long-term strategy for Instructure to take and it's our position that we should focus on risk mitigation instead.

We Want Your Feedback!

We plan to roll this tool out to other LMS & SIS providers in the future. If you want a tool like this for your school's system, don't hesitate to reach out to us and let us know!

Also, we're sure you have plenty of ideas that we've never considered. We'd love to hear them!