Instructure Canvas API Policy

Date of Last Revision: March 2017

Modifications to Policy

Instructure reserves the right, in its sole discretion, to modify this Canvas API Policy at any time. You are responsible for reviewing and becoming familiar with any modifications. Modifications are effective when first posted. To receive notifications about changes to this policy and the Canvas API functionality, see the Deprecation and API Changes section below.

Principles

Applications that access the Canvas API should adhere to the following principles:

  • Don't impersonate.
  • Don't surprise users.
  • Respect the privacy of any information retrieved.
  • Don't overload users.

Additionally, your applications must adhere to Canvas API rate limits (see the API Rate Limits section below).

Don’t Impersonate

  • Your application should not mirror or replicate Instructure, Canvas, or any other organization using Canvas.
  • Do not impersonate or facilitate impersonation of others in a manner that can mislead, confuse, or deceive users.
  • End users should understand that your application is integrated with Canvas but is an independent resource.
  • You should not remove or alter any proprietary notices in the Canvas API.

Don’t Surprise Users

Your application should not…

  • Use the Canvas API for different purposes other than what your application states or implies.
  • Confuse or mislead users about the source or purpose of your application.
  • Use business names and/or logos in a manner that can mislead, confuse, or deceive users.
  • Use the Canvas API on behalf of any third-party.
  • Facilitate or encourage the publishing of links to malicious or obscene content.

Your service should outline what actions your application will take on the user's behalf as part of the application registration process.

Respect the Privacy of any Information Retrieved

  • Any user information—including course enrollments, grades, profile information, etc.—retrieved through the Canvas API should be considered private information and, in some cases, will be protected by government regulations.
  • Know what information your tool will disclose to the public or to other products and services, and be clear with end users about what information will be disclosed.
  • Do not facilitate or encourage the publishing of private or confidential information.
  • Respect the intellectual property rights of others.

Don’t Overload Users

Canvas provides a number of different ways to contact, notify, and inform users of information. Where these methods are exposed in the Canvas API, it's important to monitor how often your application is pushing information to users.

In general, you should try to push information as rarely as possible, both to prevent user annoyance and also to make your pushes more effective.

API Rate Limits

Applications that access the Canvas API must not place undue load on Canvas servers. Canvas has an automatic rate limiting provision that dynamically adjusts as more concurrent and/or expensive requests occur. When the rate limit is exceeded, API requests will fail. Rate limiting is enforced per user access token so that partners who perform requests on behalf of multiple end users will not be throttled per developer access token that they hold.

If an application regularly exceeds the API rate limits or uses a disproportionately large number of high-impact (e.g. non-GET) requests, the access tokens may be revoked, or other measures may be taken to ensure the stability of the system for all users.

If you are concerned about hitting the rate limit, please contact your Customer Success Manager to either adjust your rate limit or seek assistance optimizing your application for lower impact on Canvas performance.

Deprecation and API Changes

The Canvas API is versioned to allow for future enhancements. Instructure strives to deliver a platform that is stable, consistent, and secure so you can confidently build awesome on top of Canvas APIs. Instructure will add, change, and remove API endpoints and fields from time to time using commercially reasonable efforts to provide communication as indicated:

Type of change Notice What you should do
Remove an endpoint Endpoint will be marked DEPRECATED at least 90 days before endpoint is removed Watch release notes
Remove a documented field in a result set Field will be marked DEPRECATED at least 90 days before field is removed Watch release notes
Remove an undocumented field in a result set Undocumented fields can be removed or changed without notice Avoid using these fields or be aware that they could be experimental and could change at any time
Add a field to a result set Field can be added without prior notice Write your code to be resilient to these types of changes
Add to the attribute set of a field in the result set New values can be added to a field without prior notice Write your code to be resilient to these types of changes
Change the attribute set of a field in the result set Field value will be marked DEPRECATED at least 90 days before attribute is changed Watch release notes
Remove the attribute set of a field in the result set Field value will be marked DEPRECATED at least 90 days before attribute is removed Watch release notes
Change to BETA endpoints, fields, or attributes Can be removed or changed without prior notice Watch release notes
Changes related to fixing a security vulnerability Any change related to repairing a security vulnerability could be made without prior notice Watch security bulletins

 

Instructure has no liability to Customer as a result of any change, temporary unavailability, suspension, or termination of access to the API.

Information and notices regarding Canvas APIs can be found in the Canvas Production Release Notes.

API Support

Developers on cloud-hosted Canvas can submit questions about or issues with the API to the Canvas Support team in one of the following ways:

  • Email [email protected]
  • Open the Help Menu in Canvas and select the Report a Problem option

Tickets about the API will be handled following the same service-level agreement that applies to any other ticket from a given institution.

Developers on self-hosted, open-source Canvas can get support through the Canvas developer community: