Canvas API Access Token Policy

The University Information Service (UIS) allows selected faculty and staff members to use the Canvas API to make their teaching and administrating easier and more efficient. However, because the Access Tokens for API calls can pose serious vulnerabilities to Georgetown’s Canvas, we have set up a process for requesting an Access Token. Essentially we want to make sure that users know how to keep their tokens safe, know best practices for storing tokens and data, and are not going to build or connect their apps and programs by taking code straight from generative AI or other web sources without critically evaluating it.

• Users must ONLY use Canvas API for teaching and course management.
• Users must store API tokens in a secure, encrypted manner. These tokens are essentially access credentials and should be considered as sensitive information.
•  Users must NOT share their tokens with other individuals or third-party vendors. Doing so will provide access to Canvas course data with serious security risks and is NOT in compliance with Georgetown’s Computer Systems Acceptable Use policy. 

How do I request a Canvas API access token?

Complete the Faculty Request for Canvas Access Token form.

What should I expect after the request is made? 

Canvas administrators and the UIS Security Office will review the request and follow up with any questions. Following the review, Canvas administrators will communicate the status:

• If approved, Edtech admins will create the token and communicate next steps.
• If not approved, Edtech will work with the faculty to achieve their goals in another way.

How do I view and manage my Canvas API access tokens? 

Once approved and the access token has been created, you can view and manage your token on your personal Canvas account settings page.

You can learn more about how to manage API access tokens in your user account in the Canvas Community.