Canvas integration incident, May 1st 2026: what happened and what to do
Summary: On Friday, May 1st, Instructure rotated API credentials across a category of Canvas integrations as a precaution following a security incident on their side. A subset of FeedbackFruits Canvas integrations, specifically those using Canvas inherited API key configurations, were temporarily disrupted. The integration has been stable since ~13:00 UTC that day. There is no known misuse of FeedbackFruits API credentials.
Educators in affected courses need to reauthorize FeedbackFruits once for synchronization (course data, enrollments, scheduled grade pushes) to resume. No action is needed from LMS admins.
If your institution uses a manual API configuration for FeedbackFruits in Canvas (which many still do) none of this affected your integration.
If your institution uses an inherited API key configuration, read on.
What happened
On May 1st, Instructure responded to a security incident on their platform by rotating the client IDs and secrets of a category of Canvas Developer Keys called "inherited API keys." A portion of FeedbackFruits' Canvas integrations relies on these.
Once those keys were rotated, our API integration could no longer authenticate against the affected Canvas instances. The visible symptoms: educators launching FeedbackFruits activities got stuck on the Canvas permissions screen, and scheduled grade syncs paused.
First reports reached us at 05:37 UTC. We declared an incident at 07:08 UTC, once we'd verified the issue was widespread rather than contained to a single institution. The connection to Instructure's earlier status notice (which only tangentially mentioned API keys) wasn't immediately obvious from the symptoms we were seeing; Instructure formally acknowledged the underlying security incident at 22:30 UTC that evening, several hours after our integration had already been restored.
We deployed a workaround at 08:01 UTC to unblock launching, then worked with Instructure to fully restore access, which landed at ~13:00 UTC. The FeedbackFruits integration into affected Canvas instances has been stable since.
For the broader picture on Instructure's side, see their Application Key Timestamp Notice and their status page. Our own incident timeline lives here.
Am I affected?
FeedbackFruits' integration with Canvas has two layers: LTI (how learning activities launch) and API (how course data and grades sync). Only the API side was disrupted, and only in one specific configuration.
There are two ways our API integration can be set up:
- Inherited API key: was affected. Set up via Canvas's developer key inheritance flow.
- Manual API configuration: was not affected. Configured manually by your IT or LMS team.
All institutions using the ‘inherited API key’ configuration have received an email from us on May 1st. If you're not sure which applies to your institution, your Partner Success Manager can check.
What action is needed?
For LMS admins: None. The integration is restored at the instance level. You do not need to reconfigure anything in Canvas. (You will see that the inherited API key is now numbered ‘170000000002380’, which was ‘170000000000749’ before Instructure’s intervention).
For educators in affected courses: When you next open a FeedbackFruits activity, Canvas will ask you to grant permissions to FeedbackFruits again. Approve them once per course, and synchronization resumes for that course.
One practical note on scheduled grade syncs: they won't run for an affected course until at least one educator has opened a FeedbackFruits activity there and reauthorized. If you have a sync queued for a course nobody is teaching into this week, the simplest fix is to open an activity in it yourself.
Why does the integration name say "FeedbackFruits - 2026-04-30 22:24:18 UTC"?
Because Instructure appended a timestamp to the rotated keys as part of their mitigation. The integration you're approving is still FeedbackFruits: the suffix is a side effect, not a problem, and you should approve it as you would any FeedbackFruits prompt. Instructure explains it in the community post linked above. We expect this naming to be temporary on Instructure's side.
Was data compromised?
There is no known misuse of FeedbackFruits API credentials. Instructure's rotation was a precaution following an incident on their platform, not a response to confirmed abuse of our keys. For the broader security context on Instructure's side, refer to their status communications.
Timeline (UTC, May 1st)
| Time | Event |
|---|---|
| 05:37 | First reports of integration unavailability reach us. |
| 07:08 | After verifying the issue is widespread (not isolated to one institution), we declare an incident. |
| 07:27 | We begin implementing a workaround to unblock activity launches. |
| 08:01 | Workaround live: educators no longer stuck on permissions. Sync still down pending Instructure. |
| ~12:00 | Affected FeedbackFruits partners receive direct email notification. |
| ~13:00 | Instructure restores inherited API key access for FeedbackFruits. |
| 13:32 | We move the incident to monitoring; |
| 15:21 | Incident resolved. Educators in affected courses begin reauthorizing. |
| 22:30 | Instructure formally acknowledges the underlying security incident. |
What we're doing next
We're working with Instructure to understand the root cause on their end and to evaluate, on both sides, whether anything in the architecture would reduce the blast radius next time.
If there's anything we could have communicated faster or more clearly during this, your Partner Success Manager wants to hear it. That feedback genuinely shapes how we handle future incidents.
Who to contact
For anything specific to your institution’s Canvas/FeedbackFruits integration (for example, which API configuration you're on) your Partner Success Manager is the fastest path.
For everything else (whether a particular course is recovering, the state of a specific grade sync), support@feedbackfruits.com is open as always.