The Canvas Learning Management System, Brown’s primary LMS platform, provides the ability to interact with course and student data programmatically via API Access Tokens. Because Access Tokens provide access to protected data, Brown University requires that all Access Tokens be subjected to the same safeguards that are applied to all other software and technology integrations. To accommodate this requirement, Brown University no longer allows individuals to create their own Access Tokens.
As of March 2026, DLD in collaboration with the University Registrar’s Office, Office of General Counsel (OGC) and the Office of Information Technology (OIT) are in the process of drafting a formal request process for faculty/staff and students (with a faculty sponsor) to request access tokens for special projects.
Why Do We Limit Access Tokens?
Canvas Access Tokens provide access to course and student data that are subject to the following policies and practices:
1. Student Privacy (FERPA)
Student data includes grades, enrollment history, participation logs, and personal identifiers. Under the Family Educational Rights and Privacy Act (FERPA), the University has a legal and ethical obligation to ensure this data is only accessed for legitimate educational purposes.
2. Instructor Intellectual Property
At Brown University, all content within a Canvas course site is the intellectual property of the instructor. This includes original lectures, scholarly research, curated course materials, and proprietary data. Per University policy, this content may not be harvested, shared, or repurposed without the instructor's explicit permission.
3. Academic Integrity
Academic achievement is ordinarily evaluated on the basis of work that a student produces independently. Students who submit academic work that uses others’ ideas, words, research, or images without proper attribution and documentation are in violation of the academic code.
How Do I Request An Access Token
At this time, we are working on a form to collect requests. Until this form is available, please contact [email protected] with your request and we will contact you once the form is available.
Access Tokens Limitations
To ensure data security, student requests for access tokens must meet the following criteria:
- Faculty Sponsorship for Student Requests: Student Access Token requests must be submitted by a Faculty Sponsor as part of a faculty-approved project. The Faculty Sponsor will oversee and be accountable for both the project and the proper use of the data accessed via the Access Token for the project.
- Isolated Accounts: Access tokens will be generated off of a separate user account that only has access to the specific courses needed for the project. All identified courses must be owned/taught by the Faculty Sponsor and the student user must not be actively enrolled and completing course work in any of the courses.
- Time Limits: In alignment OIT practices, tokens will automatically expire after 120 days.
- Data Usage Restrictions: Any data collected through the Access Token should not be shared with 3rd party tools that may collect, retain ownership of, or share the data to train AI models.
- Improper Use of Tokens - If any user is discovered to be using the access token or the data pulled via the access token for uses other than the submitted project, their Access Token will be immediately revoked.
Resources
Need Additional Help?
- For help with Canvas, please contact [email protected].