i've been working all day on the problem described here: https://community.canvaslms.com/t5/Canvas-Developers-Group/Missing-verifier-on-attachment-url-Submissions-graphQL-query/m-p/461456 unfortunately, i'm not a ruby developer, so it's slow going reading the code, but it seems like doing a graphql query with a token is different from using a web login. it all seems to boil down to the in_app? function in application_controller.rb . anyone know how to make that function go true when using a graphql query with a token?
thanx
ben
@ben_reed
Not all functionality through the REST API is supplied through GraphQL. This is one of those things. If you use the REST API, you will get an UUID for an attachment, which is the verifier code. Canvas is pushing GraphQL and says it's the future of API and people should start using it, but the support isn't there yet. The GraphQL stuff says that if you find something that isn't supported to let them know.
The in-app is part of the request forgery prevention process. Best I could find, it looks for an existing session. I will say, though, that I copied the entire request as a fetch command, then switched to a browser that wasn't logged in and executed it. It threw all kinds of CORS errors.
I then did a copy as cURL (bash) and went to a bash shell and executed it and it worked and included the verifier. I removed the cookie header and I got that I was unauthorized. If I remove the x-csrf-token header, then it is an unprocessable entity. I got it to work with these headers: x-csrf-token, cookie, content-type, accept
I then played around with the cookie to see what parts of it were absolutely necessary. It turned out that only two parts were: canvas_session and _csrf_token
Your question is how to get those without actually logging into Canvas. My answer is that it's a lot easier to use the REST API for this one since what you want isn't supported through GraphQL. Then ask Instructure to add support for the uuid on attachments to graphql.
If I absolutely had to have those headers, I could perform a headless login using puppeteer or selenium.
I looked through the LTI Variable Substitutions documentation and while there are variable substitutions available for Canvas.term.name and Canvas.term.id (which is the Canvas incremented ID like "104"), I was surprised to see there was no option for Canvas.term.sisSourceId I tried testing other possible variants that may…
Rendering bug here: Canvas - Instructure Community Seems to only appear in Edge; fine in Chrome and Firefox https://us.v-cdn.net/6038536/uploads/W3BKB9LY5FCV/recording-2026-04-08-144351.mp4
I have a developer key in our Test instance: How would I use this in a local program to make a REST API call? Looking at https://developerdocs.instructure.com/services/canvas/oauth2/file.developer_keys: Developer keys are OAuth2 client ID and secret pairs stored in Canvas that allow third-party applications to request…
I'm building a tool for my institution that imports grades from another LTI tool into Canvas so instructors can automate late assignment policies not otherwise supported by Canvas. I'm trying to use the LTIv1.3 ID which is readily available on the LTI-side as a link to the student record on Canvas, but I can't find the ID…
How can one track Canvas Media use without having the reports available from Canvas Studio? Checking API endpoints and the Data 2 schema, there do not seem to be dedicated Canvas Media endpoints. Am I missing some? A method I've considered is using the body field of the wiki_pages table, as this contains the html code of…
