API (Application Programming Interface) tokens are used to allow external applications to access user data within Canvas via the application’s API. Typically, API tokens are created on behalf of users by approved applications that are integrated with Canvas. These applications are vetted and approved before their integration with Canvas.
However, Canvas also allows users to manually generate API tokens. Any individual or application that has your user token will have full access to your Canvas data, just as they would if you gave away your username and password. Sharing your API token with an unauthorized third party creates serious security risks, and you should always be suspicious if someone asks you to create and give them an API token. Below are some of the security risks associated with giving away your token.
- Grades: The third party will be able to see your Canvas grades, which are protected under FERPA (the Family and Educational Rights Privacy Act). If you have encountered academic difficulties, failed an assignment or test, etc., they will know.
- Intellectual Property: If you have stored any work in Canvas, the third party can access this at will. They can then claim your research, business plans, etc. as their own and monetize it as they see fit.
- Controversial Work: If you have written a paper, delivered a recorded speech, etc., on a controversial topic, the third party may choose to use this against you in the future. They could use it to damage your employment prospects, to subvert a campaign for political office, or even as the basis for extortion.
If you have given a third party access to your API token, you should delete it IMMEDIATELY.
Please email canvas@uchicago.edu if you have questions about tokens. If you believe your data has been compromised or have lost control of your API token, contact IT Security at security@uchicago.edu.
To learn more:
- The University of Washington has a comprehensive article about the proper use of tokens: Canvas LMS: API Access and Access Tokens
- If you need to know how to delete a token, see the Canvas Guide How do I manage API access tokens as a student?