Canvas Automation - How do I create, destroy and manage a bearer token for use with Postman?
This article describes how to manage bearer tokens, which are development tokens used by Postman to access Canvas API requests.
What is a bearer token?
A bearer token is a key to Canvas. Using the key unlocks Canvas with all the power you have access to. If you can view grades in Canvas, delete courses, add modules, and create quizzes in Canvas, so can anyone or anything with the beaerer token.
Typically, people who develop software applications that connect with Canvas use bearer tokens to test their applications before implementing stronger security with less risk.
Bearer tokens are powerful pieces of data that must be protected and stored safely.
Requirements for using and storing a bearer token
Before CETL will provide access to Postman collections, written agreement is required stating adherance to these requirements.
- Use of Postman collections for Canvas is subject to the UW System's Acceptable Use of Information Technology Resources policy. Use is also subject to the Instructure Canvas API Policy.
- Store bearer tokens in a safe place. If available, use UWM's Password Manager Pro suite. Otherwise, store the bearer token in a password safe. For more information on password management, contact UWM Information Security.
- Replace your bearer token weekly. As a best practice, expire your bearer token on Saturday, and re-create it the first time it is needed the following week.
How to create, delete and re-create a bearer token
Instructure provides comprehensive documentaton on managing bearer tokens. Refer to "How do I manage API access tokens as a student?" on the Canvas LMS website.
- Rever to "Open User Settings" to access the necessary page to create a bearer token.
- Refer to "Add Access Token" to create a bearer token. Set your token to expire the Saturday after you create the token.
- To re-create your token, first refer to "Delete Access Token" to remove the previosu token. Then, add a new token.
Adding a token to Postman
Are you using a UWM Canvas Postman collection?
Bearer tokens are stored in the environment profile.
- Click the Eye icon in the upper right corner of the Postman window.
- Click the Edit link.
- A pop-up window appears. Look for the "token" line'. In the "Initial Value" column, paste the bearer token.
- At the top of the window, Click the "Reset All" link.
- Click the Update button.
- Click the close (X) Icon in the upper right corner of the window to close the "Manage Environment" window.
Are you using your own collection?
Bearer tokens can be used in individual API calls, in collection folders, and in environments. A best practice is to store the bearer token in an environment rather than the API call. Refer to this follwoing Postman Learning Center articles for more information.
- Postman Learning Center - Authorization - Refer to "Inherit auth from parent" to learn how to set all API calls to use the same security as the collection folder.
- Postman Learning Center - Variables - Refer to "Defining collection variables" and "Accessing variables in the request builder" to define a collection variable for the bearer token, and set it to an environment variable.