chrischall

canvas-parent-mcp

Community chrischall
Updated

canvas-parent-mcp

CInpmlicense

MCP server for Canvas LMS (Instructure), scoped for parent observers and student self-access. Targets https://cms.instructure.com by default but works against any Canvas instance.

Mirrors the read-only parent-portal scope of sibling infinitecampus-mcp. Users interact via the canvas_* tool prefix.

Tools

18 tools across profile, observees, courses, assignments, submissions, grades, calendar, planner, announcements, conversations, discussions, and files.

Domain Tools
Profile canvas_get_profile
Observees canvas_list_observees
Courses canvas_list_courses, canvas_get_course
Assignments canvas_list_assignments, canvas_list_missing_submissions
Submissions canvas_get_submission, canvas_list_recent_submissions (default 14d window)
Grades canvas_list_enrollments
Calendar canvas_list_calendar_events, canvas_list_upcoming_events
Planner canvas_list_planner_items
Announcements canvas_list_announcements
Conversations canvas_list_conversations, canvas_get_conversation
Discussions canvas_list_discussion_topics
Files canvas_list_course_files, canvas_download_file

Tools that the harness will gate as write/IO operations: canvas_download_file.

Configuration

Set CANVAS_BASE_URL plus one of four auth modes. canvas-parent-mcp tries them in priority order:

  1. CANVAS_TOKEN → personal access token
  2. CANVAS_CLIENT_ID + CANVAS_CLIENT_SECRET + CANVAS_REFRESH_TOKEN → OAuth
  3. CANVAS_USERNAME + CANVAS_PASSWORD → session-scrape (direct Canvas accounts only)
  4. fetchproxy fallback → no env vars needed; reads canvas_session + pseudonym_credentials cookies from your signed-in Canvas tab via the fetchproxy browser extension

If none succeed, you get an error that names every escape hatch.

Mode A — fetchproxy fallback (recommended, zero config)

CANVAS_BASE_URL=https://cms.instructure.com

Install the fetchproxy 0.3.0 Chrome / Safari extension (Chrome Web Store / Safari .dmg), sign into your Canvas instance once, and the MCP reads your session cookies at startup. After that, all Canvas API calls go directly from Node — the extension is not in the request hot path. Works with any auth flow (SSO/SAML/2FA included) because Canvas itself handled the sign-in.

Multiple districts? Declared domain instructure.com matches every *.instructure.com host, so you only pair the extension once. The MCP uses whichever district you set in CANVAS_BASE_URL.

Set CANVAS_DISABLE_FETCHPROXY=1 to opt out (missing creds become a hard error — useful in headless CI).

Mode B — username/password (legacy session-scrape)

CANVAS_BASE_URL=https://cms.instructure.com
[email protected]
CANVAS_PASSWORD=your-canvas-password
CANVAS_NAME=cms                # optional, defaults to host portion of base URL

Direct Canvas accounts only — won't work with SAML/Google/Microsoft SSO or 2FA. Brittle (breaks on every Canvas login-page restyling). Prefer fetchproxy if your tab is already signed in. Treat .env like a password file.

Advanced alternatives

Personal access token — simplest if your admin allows it
CANVAS_BASE_URL=https://cms.instructure.com
CANVAS_TOKEN=your-personal-access-token

Generate via Canvas → Account → Settings → "+ New Access Token". Most institutions have disabled this for non-admins.

OAuth via mobile QR code — bootstrapped from the mobile-app login flow
CANVAS_BASE_URL=https://cms.instructure.com
CANVAS_CLIENT_ID=...
CANVAS_CLIENT_SECRET=...
CANVAS_REFRESH_TOKEN=...

If your account uses SSO and you can't use fetchproxy (e.g. headless server), mint OAuth credentials by reusing the Canvas mobile-app QR-login flow — see Bootstrapping OAuth via the mobile QR code below.

Precedence when multiple are set: CANVAS_TOKEN > username/password > OAuth > fetchproxy.

See .env.example.

Bootstrapping OAuth via the mobile QR code

If your Canvas admin has disabled personal-access-token creation (some institutions restrict tokens to "the mobile app only") AND your account uses SSO so username/password can't auth, you can mint OAuth credentials by going through the same QR-login flow that the official Canvas mobile apps use:

  1. In Canvas web, open Account → QR for Mobile Login — Canvas shows a QR that's valid for 10 minutes.

  2. Decode the QR with any QR reader. The result is a URL on sso.canvaslms.com like https://sso.canvaslms.com/canvas/login?domain=...&code=....

  3. Run the bundled helper:

    npx canvas-parent-mcp-qr-login "<decoded-qr-url>" >> .env
    

    It hits Canvas's public mobile_verify.json endpoint to fetch the mobile client_id/client_secret, exchanges the QR's one-time code for an access+refresh token pair, and prints CANVAS_BASE_URL / CANVAS_CLIENT_ID / CANVAS_CLIENT_SECRET / CANVAS_REFRESH_TOKEN to stdout. The refresh token is sensitive — treat it like a password.

This reuses the same SSO + OAuth endpoints the official Canvas Student/Parent apps use; from Canvas's perspective the resulting session looks like a mobile-app session. Use it only against accounts you legitimately control.

Status

Unofficial — not affiliated with Instructure. AI-maintained.

Acknowledgement of Terms

By using this MCP server, you acknowledge and agree to the following:

1. This server accesses your own Canvas account via the official Canvas REST API. Auth happens via your own personal access token, issued by your institution. It does not — and cannot — access anyone else's enrollments, grades, or messages.

2. Instructure's Canvas API Policy governs your use of this server, in addition to your institution's own acceptable-use policy. The clauses most relevant here:

You may not use our APIs on behalf of any third-party… You may not use or access our APIs for competitive purposes… You may not interfere with our APIs, our systems, or other users… You may not circumvent any contractual usage limits.

On rate limits: "limits are enforced per user access token… with dynamic throttling." On data: "Any user information retrieved through the API—including course enrollments, grades, and profile information—should be considered and treated as private information."

You are agreeing to those terms — read by the maintainer 2026-05-23 — every time you invoke a tool in this server.

3. Personal, observer/student/parent use only. This project is not affiliated with, endorsed by, sponsored by, or in partnership with Instructure, Inc. or any school district. It is a personal automation tool for an authenticated Canvas user (typically a parent observer) to read their own (or their student's) enrollments, assignments, grades, and announcements. Do not use it to bulk-extract a district's course content, redistribute student data, or train AI models on student records.

4. FERPA + your institution's AUP apply. Student educational records are protected under the federal Family Educational Rights and Privacy Act (FERPA). Even though your token grants you lawful access, how you store, redistribute, or feed that data into LLMs is regulated. Treat any output (grades, assignments, comments, conversations) as confidential student data. Your institution's acceptable-use policy may add further restrictions on automated access — check before automating.

5. Your token is yours alone. Do not commit CANVAS_API_TOKEN to git, do not paste it in shared chats, and rotate it if it's ever exposed. A leaked token grants full Canvas access scoped to your user.

6. You accept full responsibility for any consequences of using this server in connection with your Canvas account — rate limiting (dynamic throttling kicks in well below documented limits when Canvas is under load), token revocation, account warnings, institution-admin investigations, or any enforcement action. If Instructure or your institution objects to your use, stop using this server.

This section is the maintainer's good-faith summary of the terms — it is not legal advice and does not modify or supersede Instructure's actual Canvas API Policy or your institution's policies.

MCP Server · Populars

MCP Server · New

    cauldr0nx

    EspoCRM MCP Server

    Opensource MCP Server for EspoCRM

    Community cauldr0nx
    cisco-open

    Network Sketcher

    Network Sketcher is an AI-ready network design tool with Local MCP, Online, and Offline editions for creating network designs and exporting PowerPoint diagrams and Excel-based configuration data.

    Community cisco-open
    IvanMurzak

    ✨ AI Game Developer — Godot MCP

    Godot-MCP — Model Context Protocol (MCP) integration for the Godot Engine. AI tools for the Godot Editor in C#, with cloud connection to ai-game.dev. Apache-2.0.

    Community IvanMurzak
    cyberlife-coder

    velesdb

    The local-first memory engine for AI agents. One offline Rust binary fuses vector + graph + columnar under SQL — remember / recall / why over the Model Context Protocol. why() reconnects a decision to its context across sessions, where pure vector recall (Mem0/Zep) goes blind. Runs on server, laptop, browser, edge. Zero cloud.

    Community cyberlife-coder
    abskrj

    velane

    Velane is integration infrastructure agents actually control — 800+ OAuth integrations, sandboxed Bun and Python execution, and a full deployment pipeline managed via MCP

    Community abskrj