Instructure API | Policy

Effective Date: December 15, 2024

Instructure, Inc. (and its affiliate(s), collectively “Instructure”, “us”, or “our”) has developed this API Policy (“API Policy”) which governs each individual’s (“you” or “you”) use of the Canvas API (“Canvas API”) and/or the DAP Query API (also known as the CD2 API) (“DAP API”) (collectively, the “API(s)”).

This API Policy refers to entities identified in an Instructure Order Form (“Customers”) and individuals authorized by Customers to use Instructure’s proprietary software as a service, including your applications (“Users”).

1. Modifications to this Policy

Instructure reserves the right, in its sole discretion, to modify this API Policy by providing you with reasonable notice, including posting the update on our website.  If in Instructure’s sole judgment an update materially affects your rights or obligations, we will provide you with actual notice and at least 30 days’ notice before the update goes into effect. Any other updates will be effective on the date the updated API Policy is posted on our website. Your continued offering of one or more application(s) using the APIs after an update goes into effect will constitute acceptance of the update. If you do not agree with an update, you may stop offering your application(s) at any time. You are responsible for reviewing and becoming familiar with any modifications. Modifications are effective when first posted. For more information on notifications about changes to the API functionality, see the Deprecation and API Changes section below.

2. Principles

Applications that access the our APIs should adhere to the following principles:

  • Don't impersonate.
  • Don't surprise Customers or Users.
  • Be transparent and respect the privacy of any information retrieved.
  • Don't overload Customers or Users.

Additionally, your applications must adhere to APIrate limits (see the API Rate Limits section below).

A. Don’t Impersonate

  • Your application should not mirror or replicate Instructure, our products, or any other organization using our products.
  • Do not impersonate or facilitate impersonation of others in a manner that can mislead, confuse, or deceive users.
  • End users should understand that your application is integrated with Canvas but is an independent resource.
  • You should not remove or alter any proprietary notices in the Canvas API.

B. Don’t Surprise Customers or Users

You should not do the following.

  • Use the APIs for different purposes other than what your application states or implies;
  • Confuse or mislead Customers or Users about the source or purpose of your application;
  • Confuse or mislead Users about the way you use or process their information;
  • Engage in retroactive changes of terms of service or privacy policies;
  • Use business names and/or logos in a manner that can mislead, confuse, or deceive Customers or Users;
  • Use the APIs on behalf of any third-party;
  • Facilitate or encourage the publishing of links to malicious or obscene content; or
  • Infringe on the IP rights of any Customer, User, or third party

Your application must outline what actions your application will take on the Customer’s or User's behalf as part of the application registration process.

C. Be Transparent and Respect the Privacy of any Information Retrieved

  • Any User information—including course enrollments, grades, profile information, etc.—retrieved through the API should be considered and treated private information and, in some cases, will be protected by law and regulations.
  • Know what information your application will disclose to the public or to other products and services, and clearly notify  Users about what information will be disclosed.
  • Do not facilitate or encourage the publishing of private or confidential information.
  • As between you, Customer, and User, all rights, title and interest in the information you receive via your application(s) that access the APIs should be treated as that of Customer or User.

D. Don’t Overload Customers or Users

Canvas LMS provides a number of different ways to contact, notify, and inform Customers and Users of information. Where these methods are exposed in the Canvas API, it's important to monitor how often your application is pushing information to end-users.

In general, you should try to push information as rarely as possible, both to prevent end-user annoyance and also to make your pushes more effective. However, whenever your data practices become more permissive than previously disclosed, you must provide Customers and Users with actual notice before implementing the change, and provide Customers and Users with the ability to decline future service.

E. Be Transparent About Any Use of Generative Artificial Intelligence (“GAI”)

  • Notify Customers and Users about any use of GAI by your application.
  • Notify Customers if Customer or User inputs are being used to train the GAI model and/or if Customer or User inputs are being stored. 
  • Notify Customers and Users that their data is not being used to train the GAI model.  
  • All reports generated by GAI on your application should be labeled as GAI-generated.  
  • Notify Customers and Users of the limitations of and risks associated with GAI technology.
  • Notify Customers that they maintain ownership of all right, title, and interest in information, data, or other materials uploaded by a User to Canvas, as well as information derived from that information, data, or other materials as a result of GAI.

2. Canvas API Rate Limits

Applications that access the Canvas API must not place undue load on Canvas LMS servers. Canvas LMS has an automatic rate limiting provision that dynamically adjusts as more concurrent and/or expensive requests occur. When the rate limit is exceeded, Canvas API requests will fail. Rate limiting is enforced per user access token so that partners who perform requests on behalf of multiple end-users will not be throttled per developer access token that they hold.

If an application regularly exceeds the API rate limits or uses a disproportionately large number of high-impact (e.g. non-GET) requests, Instructure may revoke your access tokens, or take other measures to ensure the stability of the Canvas LMS for all Customers and Users.

If you are concerned about hitting the rate limit, please contact your Customer Success Manager to seek assistance optimizing your application for lower impact on Canvas performance.

3. DAP API Rate Limits

To maintain fair usage and performance, we have implemented the following rate limits on the DAP Query API:

  • GET Requests:
    • /dap/query/{namespace}/table: 5 calls per minute
      • Example: If you try to list tables more than 5 times in a minute, you will hit the limit.
    • /dap/query/{namespace}/table/[table_name]/schema: 500 calls per minute
    • /dap/job/: 500 calls per minute
      • Examples: Checking the status of a job faster than 0.12 seconds in a minute, you will hit the limit. DAP CLI checks this endpoint every 5 seconds by default.
  • POST Requests:
    • /dap/query/canvas/table/[table_name]/data: 500 calls per minute
    • /dap/query/canvas_logs/table/[table_name]/data: 5 calls per minute
    • /dap/object/url: 200 calls per minute

Note: These limits are not additive. Reaching a limit for one request type or endpoint does not affect the limits of other types or endpoints. For example, if you reach the limit for GET requests on /dap/query/canvas/table, it will not impact your ability to make POST requests or GET requests on other endpoints.

If you anticipate needing higher limits, please reach out to your Customer Success Manager (CSM) to discuss your requirements.

Best Practices for Snapshot and Incremental Queries

As a reminder, when using the DAP API, it’s important to follow best practices for snapshot and incremental queries:

  • Snapshots: Use snapshots for initial data loads only. Since snapshots are resource-intensive, it is not recommended to request them frequently.
    • For example: POST /dap/query/canvas/table/[table_name]/snapshot
  • Incremental Queries: For ongoing data updates, use incremental queries to pull only the data that has changed since your last query. This approach is more efficient and reduces the load on both the API and your system.
    • For example: POST /dap/query/canvas/table/[table_name]/data?since=[timestamp]
  • Data Retention: Keep in mind that certain datasets, like canvas_logs, have a data retention policy (e.g., 30 days for web_logs). Regularly syncing your data using incremental queries approach will ensure that you do not lose any valuable information.
    • For example: POST /dap/query/canvas_logs/table/web_logs/data?since=[timestamp]

4. Deprecation and API Changes

To stay informed of changes to the  DAP Query API, you can view the current change API and CLI Change Log in the Instructure Community website. Additionally, the DAP CLI and Library will now be version controlled, allowing all changes to be tracked.

The Canvas API is versioned to allow for future enhancements. Instructure strives to deliver a platform that is stable, consistent, and secure so you can confidently build awesome on top of Canvas APIs.

Instructure will add, change, and remove API endpoints and fields from time to time using commercially reasonable efforts to provide communication as indicated:

Type of change

Notice

What you should do

Remove an endpoint

Endpoint will be marked DEPRECATED at least 90 days before endpoint is removed

Watch release notes

Remove a documented field in a result set

Field will be marked DEPRECATED at least 90 days before field is removed

Watch release notes

Remove an undocumented field in a result set

Undocumented fields can be removed or changed without notice

Avoid using these fields or be aware that they could be experimental and could change at any time

Add a field to a result set

Field can be added without prior notice

Write your code to be resilient to these types of changes

Add to the attribute set of a field in the result set

New values can be added to a field without prior notice

Write your code to be resilient to these types of changes

Change the attribute set of a field in the result set

Field value will be marked DEPRECATED at least 90 days before attribute is changed

Watch Current Canvas Releases & Deploys notes

Remove the attribute set of a field in the result set

Field value will be marked DEPRECATED at least 90 days before attribute is removed

Watch Current Canvas Releases & Deploys notes

Change to BETA endpoints, fields, or attributes

Can be removed or changed without prior notice

Watch Current Canvas Releases & Deploys notes

Changes related to fixing a security vulnerability

Any change related to repairing a security vulnerability could be made without prior notice

Watch Canvas Security Updates - Instructure Community

Instructure has no liability to you as a result of any change, temporary unavailability, suspension, or termination of access to the Canvas API. Information and notices regarding Canvas API can be found in the Canvas Production Release Notes.

5. API Support

Developers on cloud-hosted Canvas can submit questions about or issues with the APIs to the Canvas Support team in one of the following ways:

Tickets that are submitted related to the Canvas API will be handled by Instructure following the same service-level agreement that applies to any other ticket from a customer.

Developers on self-hosted, open-source Canvas can get support through the Canvas developer community: