Date of Last Revision: March 1, 2024
Instructure, Inc. (and its affiliate(s), collectively “Instructure”) has developed this Canvas API Policy (“API Policy”) which governs each individual’s (“you” or “you”) use of the Canvas API.
Modifications to Policy
Instructure reserves the right, in its sole discretion, to modify this API Policy at any time. You are responsible for reviewing and becoming familiar with any modifications. Modifications are effective when first posted. To receive notifications about changes to this API Policy and the Canvas API functionality, see the Deprecation and API Changes section below.
Principles
Applications that access the Canvas API should adhere to the following principles:
- Don't impersonate.
- Don't surprise users.
- Respect the privacy of any information retrieved.
- Don't overload users.
Additionally, your applications must adhere to Canvas API rate limits (see the API Rate Limits section below).
Don’t Impersonate
- Your application should not mirror or replicate Instructure, Canvas, or any other organization using Canvas.
- Do not impersonate or facilitate impersonation of others in a manner that can mislead, confuse, or deceive users.
- End users should understand that your application is integrated with Canvas but is an independent resource.
- You should not remove or alter any proprietary notices in the Canvas API.
Don’t Surprise Users
Your application should not do the following.
- Use the Canvas API for different purposes other than what your application states or implies;
- Confuse or mislead users about the source or purpose of your application;
- Use business names and/or logos in a manner that can mislead, confuse, or deceive end-users;
- Use the Canvas API on behalf of any third-party; or
- Facilitate or encourage the publishing of links to malicious or obscene content.
Your application must outline what actions your application will take on the end-user's behalf as part of the application registration process.
Respect the Privacy of any Information Retrieved
- Any end-user information—including course enrollments, grades, profile information, etc.—retrieved through the Canvas API should be considered private information and, in some cases, will be protected by law and regulations.
- Know what information your application will disclose to the public or to other products and services, and be clear with end-users about what information will be disclosed.
- Do not facilitate or encourage the publishing of private or confidential information.
- Respect the intellectual property rights of others.
Don’t Overload Users
Canvas provides a number of different ways to contact, notify, and inform end-users of information. Where these methods are exposed in the Canvas API, it's important to monitor how often your application is pushing information to end-users.
In general, you should try to push information as rarely as possible, both to prevent end-user annoyance and also to make your pushes more effective.
API Rate Limits
Applications that access the Canvas API must not place undue load on Canvas servers. Canvas has an automatic rate limiting provision that dynamically adjusts as more concurrent and/or expensive requests occur. When the rate limit is exceeded, Canvas API requests will fail. Rate limiting is enforced per user access token so that partners who perform requests on behalf of multiple end-users will not be throttled per developer access token that they hold.
If an application regularly exceeds the API rate limits or uses a disproportionately large number of high-impact (e.g. non-GET) requests, Instructure may revoke your access tokens, or take other measures to ensure the stability of the Canvas for all users.
If you are concerned about hitting the rate limit, please contact your Customer Success Manager to seek assistance optimizing your application for lower impact on Canvas performance.
Deprecation and API Changes
The Canvas API is versioned to allow for future enhancements. Instructure strives to deliver a platform that is stable, consistent, and secure so you can confidently build awesome on top of Canvas APIs.
Instructure will add, change, and remove API endpoints and fields from time to time using commercially reasonable efforts to provide communication as indicated:
| Type of change | Notice | What you should do |
|---|---|---|
| Remove an endpoint | Endpoint will be marked DEPRECATED at least 90 days before endpoint is removed | Watch release notes |
| Remove a documented field in a result set | Field will be marked DEPRECATED at least 90 days before field is removed | Watch release notes |
| Remove an undocumented field in a result set | Undocumented fields can be removed or changed without notice | Avoid using these fields or be aware that they could be experimental and could change at any time |
| Add a field to a result set | Field can be added without prior notice | Write your code to be resilient to these types of changes |
| Add to the attribute set of a field in the result set | New values can be added to a field without prior notice | Write your code to be resilient to these types of changes |
| Change the attribute set of a field in the result set | Field value will be marked DEPRECATED at least 90 days before attribute is changed | Watch Current Canvas Releases & Deploys notes |
| Remove the attribute set of a field in the result set | Field value will be marked DEPRECATED at least 90 days before attribute is removed | Watch Current Canvas Releases & Deploys notes |
| Change to BETA endpoints, fields, or attributes | Can be removed or changed without prior notice | Watch Current Canvas Releases & Deploys notes |
| Changes related to fixing a security vulnerability | Any change related to repairing a security vulnerability could be made without prior notice | Canvas Security Updates - Instructure Community |
Instructure has no liability to you as a result of any change, temporary unavailability, suspension, or termination of access to the Canvas API.
Information and notices regarding Canvas APIs can be found in the Canvas Production Release Notes.
API Support
Developers on cloud-hosted Canvas can submit questions about or issues with the API to the Canvas Support team in one of the following ways:
- Email support@instructure.com
- Open the Help Menu in Canvas and select the Report a Problem option
Tickets that are submitted related to the Canvas API will be handled by Instructure following the same service-level agreement that applies to any other ticket from a customer.
Developers on self-hosted, open-source Canvas can get support through the Canvas developer community:
- Engage in conversation on the #canvas-lms Freenode IRC channel using the IRC client of your choice. Or use Freenode’s web client here: http://webchat.freenode.net/?channels=canvas-lms
- Participate in our github site found here: https://github.com/instructure/canvas-lms
- Join the Developer Group to participate in discussions about the API: https://community.canvaslms.com/t5/Canvas-Developers-Group/gh-p/developers