Request a Canvas Personal Access Token

Quick Links: | Request an Access Token | Additional Considerations | Third-Party Applications |

The Canvas API allows programmatic access to course data, grades, and other Canvas features through custom scripts and user-built tools. To interact with the API, you need a Personal Access Token, which acts as a secure credential tied to your account. At Chico State, access token creation is managed by Learning Technology Services (LTS) to ensure compliance with university data security policies. If your needs are related to research or program audits, you may not need a token at all—LTS can often provide the data you need directly.

Request an Access Token

To request a Canvas Personal Access Token, do the following:

1. Determine whether an access token is the right fit for your needs. If you need data for research or a program audit, contact LTS directly to request the data—a token may not be necessary.
2. Prepare a brief description of your intended use for the token. Include what data or Canvas features you plan to access and why. Requests will be reviewed for instructional necessity, accessibility compliance, and security alignment before being issued. Common use cases include:
   • Instructors: Automating grade exports, building custom dashboards for student engagement data, or scripting bulk updates to course content.
   • Students: Pulling assignment or grade data into a personal productivity tool, or building a project that interacts with Canvas for a course assignment. Be aware that information about your token—including its stated purpose and usage patterns—may be shared with Student Rights and Responsibilities if an academic honesty complaint is filed against you.
3. Contact Learning Technology Services by submitting a request through the ticket request form. Include the purpose you prepared in step 2.
4. LTS will coordinate with the Information Security team to evaluate your use case. You may be contacted for additional details during this review.
5. If your request is approved, LTS will generate a Personal Access Token on your behalf and provide it to you securely.
6. Store your token in a secure location. Treat it like a password; do not share it, commit it to public code repositories, or embed it in client-side code.

Additional Considerations

• Token expiration and renewal: Tokens are issued with an expiration date set to 30 days after the end of the term in which they are requested. LTS does not issue tokens with unbounded end dates. When your token is approaching expiration, contact LTS to request a renewal.
• Usage auditing: All token usage is regularly audited to ensure it remains consistent with the stated purpose.
• Account compromise: If your Chico State account is reported as compromised, all active sessions—including API tokens—are deleted as a security measure. Contact LTS to request a new token once your account has been secured.
• Request denied: Review the feedback provided by LTS and the Information Security team. Revise your use case and resubmit if appropriate.

Third-Party Applications

If you're looking to connect a third-party application to Canvas rather than build your own tool, a Personal Access Token is not the right path. It is a violation of the Canvas API Policy for a user to generate an access token to insert into an application. Third-party applications serving multiple users must use OAuth with a developer key instead. Requests for tokens intended for use with third-party applications will typically not be granted.

If you'd like to integrate a third-party tool with Canvas, see Academic Technology Supported Applications for a list of currently supported integrations and information on how to request a new one. Note that the review process for new integrations can take 6–10 weeks, so it's best to submit requests at least one term before the tool will be used.