Authentication

Manual Token Generation (Only for one user)

Asking any other user to manually generate a token and enter it into your application is a violation of Canvas' API Policy. Applications in use by multiple users MUST use OAuth to obtain tokens.

To manually generate a token for testing:

Click the "profile" link in the top right menu bar, or navigate to /profile Under the "Approved Integrations" section, click the button to generate a new access token. Once the token is generated, you cannot view it again, and you'll have to generate a new token if you forget it. Remember that access tokens are password equivalent, so keep it secret.

OAuth Flow

Your application can rely on canvas for a user's identity. During step 1 of the web application flow below, specify the optional scope parameter as scope=/auth/userinfo. When the user is asked to grant your application access in step 2 of the web application flow, they will also be given an option to remember their authorization. If they grant access and remember the authorization, Canvas will skip step 2 of the request flow for future requests.

Canvas will not give a token back as part of a userinfo request. It will only provide the current user's name and id.

Getting OAuth2 Client ID/Secret If your application will be used by others, you will need to implement the full OAuth2 token request workflow, so that you can request an access token for each user of your application.

Performing the OAuth2 token request flow requires an application client ID and client secret. To obtain these application credentials, you will need to register your application. The client secret should never be shared.

Step 1: Redirect users to request Canvas access

A basic request looks like:

GET https:///login/oauth2/auth?client_id=XXX&response_type=code&state=YYY&redirect_uri=https://example.com/oauth2response

Step 2: Redirect back to the request_uri, or out-of-band redirect

If the user accepts your request, Canvas redirects back to your request_uri with a specific query string, containing the OAuth2 response:

http://www.example.com/oauth2response?code=XXX&state=YYY

Step 3: Exchange the code for the final access token

To get a new access token and refresh token, send a POST request to login/oauth2/token with the following parameters:

For More Information About How to use the access token and refresh Token refer to https://canvas.instructure.com/doc/api/file.oauth.html

For More Information About Endpoints Disposed By All the resources of the API refer to https://canvas.instructure.com/doc/api/all_resources.html