How do I manage API access tokens for a user as an admin?
As an admin, you can limit the generation of access tokens with the Users-Manage Access Token admin permission. The Users-manage Access Tokens permission is required when managing access tokens.
This feature benefits users by enhancing security and control over access tokens. By limiting token generation to admins, it reduces the risk of unauthorized token creation, helping to prevent potential misuse or security breaches.
You can also manage API access tokens from your User Settings. Access tokens can be generated automatically for third-party applications or created manually.
Notes:
- For all API keys, it is best to assign a single, clearly defined purpose. This helps ensure you can identify which API user is performing specific actions and makes it easier to remove keys that are no longer needed.
- User Access Tokens are required to have a defined purpose, regardless of which user creates them.
- To minimize security risk if a token is compromised, expiration dates are now required for all User Access Tokens created by users with only student roles (maximum expiration date as 120 days). This requirement will also be applied to all previously created tokens for users with only student roles.
Open Account
In Global Navigation, click the Account link [1], then click the Settings link [2].
View Access Tokens
Third-party applications with access tokens and user-generated access tokens are listed in the Approved Integrations section [1].
For each access token, you can view the name [2], status [3], purpose [4], expiration date [5], and date of last use [6].
Note: Mobile access tokens are generated for you when you log in to a Canvas mobile app and never expire. To remove access for a mobile application, the access token must be deleted.
View Token Status
As an admin, If you have both the Users - Manage Access Tokens permission and the Users - act as permission, you can masquerade as a user to generate a token on the user's behalf. This updates the status to Pending which prevents unauthorized token generation without the user's knowledge. The access token should then be securely shared with the user by the admin. Additionally, as an admin, you can masquerade as a user to delete that user's existing access tokens and regenerate tokens.
Notes:
- Regenerating an existing access token on behalf of a user will place the token in a pending state, similar to newly generated tokens. The user must activate the token before it can be used. The access token should be securely shared with the user by the admin.
- Tokens generated by an admin on behalf of a user will remain in a pending state until the user navigates to their user settings and activates the token.
- Users will receive an email notification if an access token has been generated on their behalf.
View Token Status Activate Link
When you generate a token on behalf of a user, the user must click the Activate link. This changes the status to Pending (Activating). Afterward, the user should refresh the screen to see the updated status as Active.
Add Access Token
To manually add an access token, click the Add New Access Token button.
Disabled Add New Access Token Button
When users do not have the Users-manage Access Tokens permission, the Add New Access Token button is disabled or if generating access codes is limited to admins.
Note: Existing personal tokens are not removed, but unauthorized users are unable to regenerate them.
