Canvas API Token Request Process

BYU-Idaho is changing how Canvas API tokens are created. Users will no longer be able to generate their own API tokens directly in Canvas.

Instead, all API token requests must be submitted through the Help menu within the BYU-Idaho Canvas instance. This change improves security, provides better tracking of token usage, and introduces role-based permissions.

On July 31 2026, all existing tokens will be removed. 

NOTE: This change applies to the BYU-Idaho Canvas instance only. It does not apply to the Pathway Canvas instance.

How to Request an API Token

  1. Log in to the BYU-Idaho Canvas instance.
  2. Select Help from the global navigation menu.
  3. Choose Request a Token.
  4. Complete and submit the request form.

If the request form is temporarily unavailable due to maintenance, users should try again later.

Token Permissions

Students

Students may request API tokens; however, they will receive read-only access.

Read-only tokens allow students to:

  • Read Canvas data through the API.
  • Use personal integrations such as:
    • Calendar applications
    • To-do list applications
    • Other read-only API integrations

Read-only tokens cannot:

  • Create or modify Canvas content.
  • Submit assignments.
  • Post grades or comments.
  • Perform other write operations through the Canvas API.

This restriction helps prevent automated systems or AI tools from making changes within Canvas while still allowing students to access their own information.

Employees

  • Full-Time Employees who request API tokens through the new process will receive permissions appropriate for their job responsibilities.
  • Student employees are currently treated as employees and receive write access when their administrative role requires it.

The university is evaluating an approval process for student employees who require elevated administrative API permissions in the future.

Existing API Tokens

As part of this security initiative:

  • All end-user API tokens created using the previous self-service method will be deleted at the end of July (target date: August 1).
  • Tokens created through the new Help > Request a Token process will not be deleted.

Users who rely on existing API tokens should request a new token before the cleanup date.

Why This Change?

The new process is designed to:

  • Improve Canvas security.
  • Track who has requested API access.
  • Ensure API permissions are granted appropriately.
  • Reduce the risk of unauthorized or automated write access.
  • Support institutional security and auditing requirements.

Frequently Asked Questions

Does this affect Pathway Canvas?

No. This process only applies to the BYU-Idaho Canvas instance.

Can students still use Canvas API integrations?

Yes. Students may request a read-only API token for personal integrations that do not modify Canvas data.

What happens to my existing token?

If it was created using the previous self-service method, it will be deleted during the security cleanup. Request a new token using the new process if you still need API access.

Why can’t students receive write access?

Read-only access helps prevent automated tools from making changes in Canvas while still allowing students to retrieve their own information through the API.


Contact Us 

If you have questions, please call us at (208) 496-9009 or start a Live Chat with us.

Hours of Operation: Mon - Fri 7:30 AM - 8:00 PM, Sat 10:00 AM - 4:00 PM Mountain Time

(excluding weekly devotional, forum hour, and University Recognized holidays)