Canvas Docs
  • GETTING STARTED
    • Our docs have moved
    • Connect your data
      • App and database connectors
      • Snowflake
      • BigQuery
      • Redshift
      • Postgres
        • Use an SSH tunnel
      • Static IP Addresses
      • dbt
        • dbt Cloud
        • dbt via GitHub
    • Create your first canvas
    • Onboarding your team
  • Building canvases
    • Import data
    • Formulas
    • SQL
    • Joins
    • Pivot tables
    • Charts
    • Filters
      • Date filters
      • Text search filters
      • Multi-select filters
    • Canvas API
    • Events API
    • Embed Login API
  • Embeds
    • Public Embeds
    • Scopes
    • Walkthrough
    • PowerPoint embeds
  • Managing users
    • Assigning permissions
  • Security
    • Data security
    • Bug bounty program
    • Privacy policy
    • Terms of service
Powered by GitBook
On this page
  • Guide
  • Implement the backend
  • Implement the frontend
  • Canvas setup
  1. Building canvases

Embed Login API

Embed links in your application that log your users into Canvas

PreviousEvents APINextPublic Embeds

Last updated 1 year ago

Canvas allows your to generate links that log your users into your Canvas account and optionally redirect them to a specific dashboard.

If you want to use this API please request that Canvas enable this for you.

Guide

Navigate to your and click "Create key" under the Embed API section. Save this key securely. This key has the ability to grant access to your account. This key cannot be retrieved once generated.

Implement the backend

If you implement your own backend we recommend using libsodium to sign the tokens as well. You can follow this guide.

The key you receive from Canvas is actually an [identifier].[key] pair where the key is your secret key and the identifier is a unique identifier for this key in Canvas. You use the key portion to generate your encrypted payloads and simply include the identifier in the last step.

Canvas expects the encrypted message payload to be a JSON string with the following structure:

{
    email: [email of the user in Canvas],
    exp: [unix time in seconds the token should be valid until],
    userId: [optional identifier for the user],
    firstName: [optional first name of user],
    lastName: [optional last name of user],
}

The encrypted payload and the nonce should then unpacked from bytes into hex for transmission.

This should then be included in the following token payload to Canvas:

{
    message: [hex encoded payload],
    nonce: [hex encoded nonce],
    keyId: [key identifier from Canvas signing key],
}

Stringify and base64 encode this to get your token.

Implement the frontend

On the frontend you only need to add a link with the following structure:

https://canvasapp.com/signed_login?token=[generated token]&redirect=/canvas/your_canvas_id

The redirect portion is optional. If not included the user will be redirected to the Canvas homepage.

Canvas setup

Any emails that you want to login with this method will need to be invited to your Canvas team beforehand.

Using the signing key your application backend can generate tokens that grant bearers permission to login to Canvas. You can use one of Canvas' to generate the tokens or use them as a guide to implement your own generation.

The key is generated using .

This payload should be using the key portion of the signing key and a nonce

clients
libsodium
encrypted
settings page