What are Access Tokens?
Access tokens in Canvas act as special keys to give programs access to Canvas on your behalf. They allow the program to do anything you could normally do yourself when you are logged into Canvas. When you manually generate an access token, it is like handing out your password and, like passwords, it should be kept private and secure.
What are the Risks of Allowing Users to Generate Access Tokens?
There has been a recent trend for vendors to request user-generated access tokens as a means to bypass the more secure LTI standard and the security reviews that Dartmouth requires before purchasing third-party tools. Because the tokens are the equivalent to your username and password, any third-party could access all of your data in Canvas including course materials, assignments, and grades. The more access you have in Canvas - ex. Teachers and TAs - the more data that could be put at risk. Security risks of particular concern include:
FERPA- Protected Data
For students, allowing third-party tools access to Canvas could mean revealing FERPA (Family Educational Rights and Privacy Act) protected data of other students, including course enrollment, discussion posts, grades (from group assignments), etc.
TAs and Instructor’s expanded access to data puts even more data at risk and could include a whole class's assignments, discussions, grades, etc.
Intellectual Property
Any work you have stored in Canvas or any work you have access to in Canvas (for instructors and TAs, this could include student work; for students, this includes lectures and course materials shared by your instructor) can be accessed by the third party who has your access token. They can then use this work without the permission of the owners in money-generating endeavors and other pursuits.
How do I request an access token when I have a legitimate need?
We always strive to balance security with supporting innovation. Toward that end, we want to be able to support the creation of access tokens for legitimate needs here at Dartmouth. The Canvas environment tries to encourage the creation of customizations and tools by the community to help support good teaching. If you would like to use the Canvas API for internal development and customization we would love to partner with you to do that securely. To request API access, please use the form linked on this page to make the request. You may expect a response within 5 days of your request.
The following sources were used as references:
Canvas API Access Tokens - Cornell
Pros and Cons of User Access Tokens - Canvas Community