Do teachers need a separate account in Lectora after the LTI install?

No. Once Lectora is installed via LTI, teachers launch it from a course's left sidebar in Canvas and are signed in automatically using their Canvas identity (a signed JWT issued at launch). No signup, no token, no separate Lectora password.

What happens if I toggle a Developer Key OFF?

It depends on which of the two keys you toggle. Toggling the LTI Registration key OFF stops Lectora launches in every course immediately and globally — the link in the course sidebar still appears but launching it fails. Toggling the API Key OFF lets teachers still launch Lectora but breaks all Canvas API calls — courses load, but submissions don't appear and grades can't post back. In both cases, toggling ON again restores everything; no data is lost on the Lectora side.

Can I install Lectora at a sub-account level instead of the root account?

Yes. Installing at a sub-account makes Lectora available to that sub-account and any sub-accounts beneath it, but not to siblings or to the root account. Use this when you want to scope a pilot to one faculty or school before extending institution-wide.

What if my registration iframe shows a blank page?

Canvas couldn't reach your Lectora URL. Verify the URL is correct, publicly reachable, and serves HTTPS — open it in a browser; you should get a JSON response. If you're behind a corporate firewall and Lectora is self-hosted on a private network, you'll need to expose the registration endpoint or whitelist Canvas's outbound IP range.

I got a "Platform rejected registration" error — what's going on?

The registration token Canvas issued has expired or is wrong. Close the modal and restart Dynamic Registration from Step 3 — Canvas issues a fresh token each time you open the registration dialog. Your API Developer Key from Step 2 is unaffected; you don't need to recreate it.

The launch works but grades don't post back to Canvas. Why?

The Canvas API Developer Key from Step 2 has been disabled, its secret has been rotated, or Enforce Scopes is on with an incomplete scope list. Check, in this order: in Canvas → Admin → Developer Keys, is the API Key from Step 2 still toggled ON? If yes, has anyone clicked Show Key and rotated the secret recently? If so, you'll need to re-enter the new Client ID and Secret in Lectora — either by re-running Dynamic Registration with the new values, or by having your Lectora administrator update the credentials directly. If both check out, look at the API Key's Enforce Scopes setting — disable it during testing, or ensure it grants read access to courses, assignments, and submissions, and write access for grades.

Teachers see "Invalid signature" or "Missing iss" — how do I fix it?

Clock skew between Canvas and Lectora. JWTs only allow a small skew window. Ensure both servers have NTP-synchronised clocks; if Lectora is self-hosted, check that your server's time is within a few seconds of UTC.

SETUP GUIDE · CANVAS ADMIN

How do I install Lectora in Canvas with LTI 1.3?

This guide is for Canvas administrators installing Lectora institution-wide via LTI 1.3 Dynamic Registration — about fifteen minutes of work that ends with every teacher in your Canvas instance launching Lectora directly from a course's left navigation, no per-teacher tokens to manage. The install creates two Canvas Developer Keys: an LTI Registration key (created automatically by Dynamic Registration) and a separate API Key for Canvas REST API access that lets Lectora read submissions and post grades back. Both are required — Canvas's LTI keys can't perform the OAuth authorization_code grant Lectora needs for API access, so the API Key is a second key you create manually before confirming the LTI registration. If you only want a single teacher to try Lectora on their own courses before involving IT, the personal access token quickstart is the lighter path. For multi-teacher deployments, LTI 1.3 is the only compliant option — Canvas's API Policy restricts personal access tokens to single-user use.

Why LTI 1.3 (and not per-teacher tokens)?

For multi-teacher deployments, LTI 1.3 is the only compliant integration path. The Canvas API Policy and Canvas's OAuth2 manual-token-generation docs restrict personal access tokens to personal, single-user use; a third-party app that asks each teacher to generate and hand over a token isn't a compliant integration.

Beyond compliance, the LTI install also gives you one-click teacher onboarding (teachers just open Lectora from a course's left navigation, no signup or token to copy), centralised lifecycle control (toggle the LTI Developer Key OFF and Lectora stops working everywhere instantly), stable identity (Canvas issues signed JWTs on every launch, with no long-lived secrets sitting in user accounts that can leak or get forgotten when a teacher leaves), and a single institution-level OAuth Developer Key — separate from the LTI key, created during the install — that handles Lectora's Canvas API access for every teacher in one place, so grade-passback works without per-teacher tokens.

What gets installed?

Two Canvas Developer Keys with two distinct roles. The API Key lets Lectora call the Canvas REST API on each teacher's behalf — reading submissions, posting grades back — using the OAuth 2.0 authorization_code grant. You create it manually in Step 2 by clicking + Developer Key → API Key and copying its Client ID and Secret out. The LTI Registration key handles "click Lectora in the course sidebar and get logged in" — it implements the LTI 1.3 launch handshake, signed JWTs, and the course-navigation placement. Canvas creates it automatically when you run Dynamic Registration in Step 3 (+ Developer Key → LTI Registration).

Both keys are required. Canvas LTI keys can't perform the OAuth authorization_code grant, so the API Key is not something the LTI Registration can replace — they're two complementary keys for two different protocols. The only manual paste anywhere in the flow is the API Key's Client ID and Secret from Step 2 into the Dynamic Registration confirmation iframe in Step 4. No JSON, no config files, no manual key generation.

One quietly useful detail: when you run Dynamic Registration at the Admin level (the default for institution-wide installs), Canvas automatically creates the External App entry for Lectora at that account too. By the time you finish Step 5, Lectora is available in every course under the account where you registered. The per-course manual install step is only needed for narrow, single-course pilots — see Step 6 for the verification and the narrow-rollout path.

What do you need before starting?

Three things. Canvas admin access at the Site Admin or root account level — without that you won't see Developer Keys in the admin menu. Your Lectora URL — for most institutions this is the hosted production app at https://lectora.app, which is the recommended path: we run it, we patch it, your team operates no infrastructure. Institutions with strict data-residency requirements can instead self-host Lectora (it's open source) on their own domain; in that case, substitute your domain wherever this guide shows lectora.app. The registration endpoint is always your Lectora URL plus /api/lti/register. And network reachability — Canvas must be able to reach your Lectora URL over HTTPS, so if you're piloting against a Canvas instance behind a corporate firewall, confirm this with your network team first.

A note on the two Developer Keys you'll create. The LTI Registration Developer Key is created automatically when you complete Dynamic Registration in Step 3 — it handles teacher launches from the course sidebar. A separate API Developer Key for Canvas REST API OAuth is created manually in Step 2 below and pasted into the Dynamic Registration confirmation page — it lets Lectora read submissions and post grades back to Canvas as the teacher who launched it. The API Key is a separate key because Canvas LTI keys don't support the authorization_code OAuth grant; this is a Canvas constraint, not a Lectora one. Without the API Key, Canvas will reject the Dynamic Registration submission, so we create it first.

Step 1 — Open Developer Keys

In Canvas, click Admin in the left sidebar.
Choose Developer Keys from the admin menu.

You'll land on the Developer Keys list — usually empty for new installs, or showing any existing third-party tools.

Canvas left sidebar with the Admin item highlighted and arrows pointing from Admin to the Developer Keys link in the admin menu. — Step 1 — Canvas Admin sidebar → Developer Keys

Step 2 — Create the Canvas API Developer Key

A separate Developer Key — distinct from the LTI Registration key — that lets Lectora call the Canvas API for grade-passback. The Dynamic Registration confirmation iframe in Step 4 has required fields for this key's Client ID and Secret, so create it now to have those values ready.

On the Developer Keys page, click + Developer Key in the top-right.
Choose + API Key from the dropdown (the top option of three).
Fill in the Key Settings form. Leave everything else at its defaults:
- Key Name — Lectora API Access
- Owner Email — your admin email (Canvas sends rotation and maintenance notifications here)
- Redirect URIs — paste the Lectora OAuth callback URL (below)
- Icon URL — https://lectora.app/icon.svg (or your self-hosted Lectora domain plus /icon.svg)
Set Enforce Scopes to OFF for now. Newer Canvas instances default this to ON, which requires you to pre-select every scope Lectora needs — easier to verify the install end-to-end first, then harden.
Click Save.
On the Developer Keys list, toggle the new key's State to ON.
Copy the Client ID from the Details column (a long numeric string like 10000000000040).
Click Show Key to reveal the Secret, copy it, and paste both Client ID and Secret into a temporary scratch pad. You'll need them in Step 4.

Once end-to-end grading is verified (Step 7), come back here and turn Enforce Scopes on. Select only the scopes Lectora actually needs — courses, assignments, submissions, users, enrollments, files, rubrics. A leaked API token with unrestricted scopes is much more dangerous than a leaked scoped token.

Hosted production OAuth callback URL — paste this into the API Key's Redirect URIs field. Self-hosters substitute their own Lectora domain.

https://lectora.app/api/auth/canvas/callback

The + Developer Key dropdown opened on the Developer Keys page, with the + API Key option highlighted at the top of the three options. — Step 2 — `+ Developer Key` dropdown, API Key option highlighted

Canvas Key Settings dialog for an API Key with Key Name set to Lectora API Access, Owner Email, Redirect URIs, and Icon URL filled in, and the Enforce Scopes toggle visible on the right. — Step 2 — Key Settings form, fields filled in

The Show Key reveal modal displaying the API Key secret with a Copy button highlighted, and a warning that Canvas only shows this secret once. — Step 2 — Show Key modal. Canvas only shows the secret once; copy it now.

Step 3 — Start a Dynamic Registration

With the API Key credentials safely copied, you're ready to register Lectora as an LTI tool.

Back on the Developer Keys list, click + Developer Key again in the top-right.
Choose + LTI Registration from the dropdown (the third option).
In the modal that opens, choose Dynamic Registration (the first option).
Enter your Lectora registration endpoint in the URL field (below).
Click Continue.

Hosted production registration URL. Self-hosters substitute their own Lectora domain.

https://lectora.app/api/lti/register

The + Developer Key dropdown opened a second time, this time with the + LTI Registration option highlighted (third in the list). — Step 3 — `+ Developer Key` dropdown again, this time choose LTI Registration

The Dynamic Registration modal with the Lectora registration URL filled into the URL field and the Continue button highlighted. — Step 3 — Dynamic Registration dialog with the URL entered

Step 4 — Confirm the installation

Canvas opens Lectora's confirmation page inside an iframe. It shows the Canvas instance Lectora detected, the placements Lectora will request (course navigation), and two required OAuth credential fields.

Paste the Client ID you copied in Step 2 into the OAuth Client ID field.
Paste the Secret you copied in Step 2 into the OAuth Client Secret field.
Review the placements (course navigation should be checked).
Click Confirm Installation.

The iframe closes automatically on success.

Lectora-branded confirmation page rendered inside the Canvas registration iframe, with the OAuth Client ID and Secret fields populated from Step 2 and the Confirm Installation button highlighted. — Step 4 — Confirmation page with the OAuth Client ID and Secret pasted in from Step 2

Step 5 — Enable the LTI Developer Key

Back on the Developer Keys list, you'll now see two Lectora rows — the API Key from Step 2 (already ON) and the new LTI Registration key (starts OFF).

Find the new LTI Registration row.
Toggle its State to ON — new keys start OFF.
Copy the Client ID of the LTI Registration key from the Details column. You'll need it in Step 6 (a long number, typically 10000000000123 or similar).

Canvas Developer Keys list showing both Lectora keys — LTI Registration and API Key — both toggled ON. This is the complete install snapshot. — Step 5 — Both keys ON. Two keys, both green — the install is complete on the Canvas side.

Step 6 — Verify Lectora is installed (and optionally narrow the scope)

Good news: the tool is already installed. When you ran Dynamic Registration in Step 3 at the Admin level, Canvas automatically created an External App entry for Lectora, and toggling the LTI key ON in Step 5 activated it across every course beneath that account.

Go to Admin → Settings → Apps tab → View App Configurations.
Look for a Lectora row in the list — that confirms the account-level install landed.

If you ran Dynamic Registration at the root account, every course in your Canvas instance can now show Lectora — jump to Step 7 to verify a teacher-side launch.

Optional — narrow-rollout path. Use this only when you want to pilot Lectora with one department, school, or course before rolling out wider. If the tool is already installed account-wide, skip this step; Lectora's already available everywhere.

Open the course → Settings → Apps tab → View App Configurations.
Click + App in the top-right.
Set Configuration Type to By Client ID.
Paste the LTI Registration key's Client ID from Step 5.
Click Submit, then confirm when Canvas asks Tool found, install?.

Rare fallback. If Lectora isn't listed in Admin → Settings → Apps after Step 5, the auto-install didn't happen. Install it manually using the same flow as the narrow-rollout path above, but at the admin level (Admin → Settings → Apps → + App → By Client ID → paste → Submit).

Course Settings Apps tab with the + App dialog open, Configuration Type set to By Client ID and the LTI Registration key's Client ID pasted in. — Step 6 (narrow rollout only) — per-course install via By Client ID

Course Settings Navigation tab with Lectora being dragged from the hidden items list at the bottom up into the visible items list at the top. — Step 6 fallback — drag Lectora from hidden to visible in the course's nav order

Step 7 — Verify it works

Fastest end-to-end test:

Open a course where Lectora is installed.
Click Lectora in the left sidebar.
Confirm the Lectora course view loads inside Canvas with your courses listed.

If you got here, installation is complete. Teachers in any installed course can now use Lectora without any additional setup — send them a one-liner: "Open any course where Lectora is installed and click Lectora in the left sidebar; it'll log you in automatically."

Lectora rendered inside a Canvas course iframe — the successful launch from a teacher's perspective, with the Lectora course view visible inside Canvas. — Step 7 — successful launch from a teacher's perspective

Updating or removing the installation

To change Lectora's LTI configuration (for example to update placements or scopes after a Lectora release), go to Admin → Developer Keys, click the pencil edit icon on the LTI Registration key, re-enter the registration URL, and click Save. Canvas re-fetches the configuration; existing course installations continue working without changes. To rotate the API Key's secret, click Show Key on the API Key row to generate a new secret, then re-run Dynamic Registration with the new value (or have your Lectora administrator update the stored credential directly).

To uninstall completely, you need to remove both keys. Either remove the External App from each course (Course Settings → Apps → Lectora → trash icon), or delete the LTI Registration key (Admin → Developer Keys → trash icon on the Lectora LTI row) to disable Lectora launches everywhere at once. Then also delete the API Key (trash icon on the Lectora API Access row) so Lectora can no longer call the Canvas API. Toggling either key OFF instead of deleting it is a safer reversible alternative if you're not sure.

About 15 minutes if you have Canvas admin access and a Lectora URL ready — five for creating the API Developer Key (Step 2), five for Dynamic Registration and toggling the LTI key on (Steps 3–5), and five for making Lectora available in courses and verifying (Steps 6–7). The longest delay is usually scheduling time with your Canvas root account admin, not the install itself.