Developer Keys

From the official Canvas documentation:

“Developer keys are OAuth2 client ID and secret pairs stored in Canvas that allow third-party applications to request access to Canvas API endpoints via the OAuth2 flow. Access is granted after a user authorizes an app and Canvas creates an API access token that’s returned in the final request of the OAuth2 flow.
Developer keys created in a root account, by root account administrators or Instructure employees, are only functional for the account they are created in and its sub-accounts… By scoping the tokens, Canvas allows root account administrators to manage the specific API endpoints that tokens issued from a developer key have access to.”

Said another way, the API server (Canvas) validates third-party apps (domain+redirect URI) and API key/API secret, and makes a request. Requests can authenticate users and provide information available on Canvas.

Use in Development

You can complete development work and test dev keys on the Sandbox.

Individual persons do not need individual dev keys; you can (and should) re-use dev keys within development groups. For example, one dev key has been used by multiple iterations of CS61A and other course staff for development work on sections for multiple semesters. When the domain, routes (redirect URIs) and scopes are the same, you can (and should) share the use of a single dev key.

We recommend that scoped keys are turned on even during development. Keys must be scoped in production, so doing this step early will decrease headaches later. If you have separate development efforts on the same app happening simultaneously that require different scopes, you may want to create separate dev keys. However, please keep dev keys created to a minimum.

Use in Production

Once you have verified your workflow in your development environment using a dev key for the Sandbox AND you’ve determined a minimal set of scopes, you’re ready to request use in production. A staff or faculty member (not a student/student employee) should fill out this form which will open a ticket with the bCourses team.

More on OAuth2

Canvas Oauth2 Overview

If something is going wrong with authentication, make sure that what is listed in the developer key is correct. Redirect URIs must match exactly.

Back to Top

Accessibility Nondiscrimination

Copyright ©2026, Regents of the University of California and respective authors.

This site is built following the Berkeley Class Site template, which is generously based on the Just the Class, and Just the Docs templates.