Canvas API Access Token Request Policy

Usage Guidelines, Request Policy, and Review Process

This document provides guidelines and policy for user-generated Application Programming Interface (API) tokens in Texas A&M University’s Canvas learning management system. API tokens allow applications to access data outside of the native environment which can provide expanded functionality and efficiencies.

Canvas API access is only approved for teaching and learning course management purposes through course staff. It is not available for students or development purposes.

Please be aware that additional legal guidance is forthcoming that may alter the approval of current and new tokens following the most recent legislative session. Revocation of tokens is at the discretion of the LMS Executive Committee or Canvas resource owner and may occur at any time.

This policy is effective October 2025.

Canvas API Token Security and Privacy Considerations

API tokens are essentially access credentials and should be considered as sensitive information. This means that they should be stored in a secure manner (see Technology Services – Protecting Confidential Information).

Sharing this token with other individuals or third-party vendors will provide access to Canvas course data which can create security risks and may not be in compliance with Standard Administrative Procedure 29.01.03.M0.02 Information Resources – Acceptable Use. Any existing access with third-party vendors should be deleted immediately and any external integrations should adhere to the university’s third-party tool request process within Canvas.

Some potential security and privacy concerns include:

- Protected data such as educational records (ex: student grades protected by the Family and Educational Rights Privacy Act (FERPA))
- Intellectual property and content scraping/curation (ex: any course content or activities created by an instructor of record; third-parties curating course artifacts in bad faith for extortion/blackmail)

Academic integrity/honor violations (ex: course content being copied by an artificial intelligence (AI) bot to share with students outside of the course or the development of AI tutoring systems).

Canvas API Support
The teams that support Texas A&M University’s Digital Learning Environment:

- Maintain the API request portal
- Evaluate all requests to ensure compliance with guidelines and policies
- Review all current tokens between each long semester
- Terminate any tokens that are out of compliance
- Do not provide API coding/development support

Steps for Requesting a Canvas API Token:

Submit a ticket through the TeamDynamix Service Catalog to Teaching and Learning – Learning Management –LMS Administrative.
Select LMS API Request under Type of Help.
Fill out all required information in the form
1. Purpose
  1. Please provide clear, detailed information to facilitate the evaluation process that covers all expected usage including any specific scopes and what types of data will be accessed/written
2. Risk Mitigation
  1. How will tokens be securely stored?
  2. How will sensitive data be protected in transit and rest?
    1. Note: External data stores are not permissible.
3. Review and acknowledge TAMU AI Regulation 29.01.05
4. Pick a timeline for access (up to six months; renewable)
5. Complete attestation to not connect Canvas with external vendors. Note: users will be held accountable for use and state law.
6. Description is available for any additional context or information pertaining to the request.
Submit the request form

Canvas API Token Review Process:

Canvas administrators will review the ticket and follow up with any questions through the ticketing system.
Following review, Canvas administrators will communicate the status:
1. If approved, the Office for Learning Technology Services will create the token and communicate next steps.
2. If not approved, the Center for Teaching Excellence will provide a rationale.

Version 1 10/2025