We rolled out a security improvement to the API key creation flow for Data Access Platform. Every new API key generated through Identity Services at identity.instructure.com now requires an email verification step before it can be used.
Important scope note: This change applies only to API keys created through Identity Services for Data Access Platform by Instructure. It does not apply to developer API keys or access tokens you create inside Canvas. Those continue to work exactly as they have in the past.
What changed
Previously, when an admin generated a Data Access Platform API key at identity.instructure.com, the key was available immediately. Institutional keys could be revealed immediately, and partner keys triggered a one-time password email to the partner at the moment they were created.
With verified key release, that flow gets one extra step. After you create a key, we send a six-digit verification code to your admin email address. The key stays in a pending state until you enter the code. Once you verify, institutional keys become revealable, and partner keys trigger the one-time password to your partner — exactly as it did before.
What this does and doesn't cover
This change applies to:
- Data Access Platform institutional API keys (Client ID and Secret) generated through Identity Services at identity.instructure.com
- Data Access Platform partner API keys generated through Identity Services
This change does not apply to:
- Developer API keys created inside Canvas at Admin → Developer Keys
- API access tokens created in Canvas user settings
- Existing Data Access Platform keys created before rollout
If your team only works with Canvas developer keys, LTI tool credentials, or in-Canvas access tokens, nothing has changed for you.
Why we're doing this
The verification step confirms that whoever creates a Data Access Platform API key also has access to the admin email on file.
It's a small change with a meaningful security improvement: one more confirmation that the legitimate admin is on the other end of the request.
How the flow works
Need a refresher on creating a key? Follow our step-by-step guide: How do I generate a Canvas Data 2 API key.
- You start key creation at identity.instructure.com.
- A six-digit code arrives at the admin email on your Canvas account.
- You enter the code in the verification screen. The code is valid for five minutes.
- After you verify, the key is fully active. Institutional keys become revealable, and partner keys trigger the one-time password to your partner.
If something goes wrong, you have room to recover. You can request a new code up to three times per key, and you get five attempts to enter it correctly. The full window from key creation to verification is 15 minutes. After that the key locks, and you'll need to create a new one.
What admins should check
A few things worth confirming now:
- The admin email on your Canvas account is current and one you can reach quickly.
- Your IT team has allowed notifications@instructure.com so it doesn't get caught in spam filters.
- Any admins on your team who generate Data Access Platform keys know about the new step and have access to their own admin email at the time of creation.
Questions and feedback
Please see the FAQ below for more detail and drop any questions in the comments. We'll watch the thread and respond in line. .
Thanks for your patience as we tighten security around one of the more sensitive admin actions in the Data Access Platform workflow.
Frequently Asked Questions: Verified API key creationWhat's changing?
We're adding an email verification step when you create an API key in Canvas by Instructure. After you create a key, you'll get a six-digit code at your admin email address. You enter that code to activate the key. Until you verify, the key can't be used.
How do I create an API key?
Follow our step-by-step guide: How do I generate a Canvas Data 2 API key. The verification step described here happens right after you finish those steps.
Why are we adding this?
The verification step confirms that you, the legitimate admin, are the one creating the key.
Which keys does this apply to?
Both institutional API keys and partner API keys. The flow is the same up to the verification step. After you verify, institutional keys become revealable, and partner keys trigger the one-time password email to your partner.
Where does the code go?
The code is sent to the admin email on file in Canvas. You can confirm this address in your Canvas profile before you create a key.
How long do I have to enter the code?
The code itself is valid for five minutes. The full verification window — from key creation to successful verification — is 15 minutes. After 15 minutes, the key is permanently locked and can't be activated. You'd need to create a new one.
What if I don't get the code?
You can request a new code up to three times per key. If you still don't see it, check your spam folder, confirm the email address on your Canvas profile, and ask your IT team to check email filters.
What if I enter the wrong code?
You get up to five attempts per key. After that, the key is locked and you'll need to create a new one. We use a generic error message so attempted guesses don't reveal anything useful to potential unauthorized users.
Does this affect keys I've already created?
No. Existing keys keep working. Verification applies to keys created after the rollout.
When will my partner receive their one-time password?
Only after you successfully verify the key. The partner email won't go out until verification is complete, so no credentials leave the system before you've confirmed the action.
What happens if my key is locked?
Locked keys can't be activated or recovered. Create a new key and complete verification within the window.
Will this slow down my workflow?
For most admins, no. The code usually arrives within seconds, and entering it takes about as long as a typical two-step login.
Who do I contact with questions?
Reach out to your Canvas support contact or open a ticket through the standard support channel.
