Comment on page
Embed Login API
Embed links in your application that log your users into Canvas
Canvas allows your to generate links that log your users into your Canvas account and optionally redirect them to a specific dashboard.
If you want to use this API please request that Canvas enable this for you.
Navigate to your settings page and click "Create key" under the Embed API section. Save this key securely. This key has the ability to grant access to your account. This key cannot be retrieved once generated.
Using the signing key your application backend can generate tokens that grant bearers permission to login to Canvas. You can use one of Canvas' clients to generate the tokens or use them as a guide to implement your own generation.
If you implement your own backend we recommend using
libsodiumto sign the tokens as well. You can follow this guide.
The key you receive from Canvas is actually an
[identifier].[key]pair where the
keyis your secret key and the
identifieris a unique identifier for this key in Canvas. You use the
keyportion to generate your encrypted payloads and simply include the
identifierin the last step.
Canvas expects the encrypted message payload to be a JSON string with the following structure:
email: [email of the user in Canvas],
exp: [unix time in seconds the token should be valid until],
userId: [optional identifier for the user],
firstName: [optional first name of user],
lastName: [optional last name of user],
The encrypted payload and the nonce should then unpacked from
This should then be included in the following token payload to Canvas:
message: [hex encoded payload],
nonce: [hex encoded nonce],
keyId: [key identifier from Canvas signing key],
base64encode this to get your token.
On the frontend you only need to add a link with the following structure:
redirectportion is optional. If not included the user will be redirected to the Canvas homepage.
Any emails that you want to login with this method will need to be invited to your Canvas team beforehand.