Partner
With
Class
Compass

Class Compass helps students stay organized by unifying their Canvas courses, grades, assignments, and announcements in one clean dashboard. We partner with schools to provide secure, read-only Canvas integration through official OAuth 2.0 authorization.

What We Access

Class Compass requests read-only access to a limited set of Canvas data through 7 specific API scopes:

  1. User profile — Name and avatar for personalization
  2. Course list — Active and past course enrollments
  3. Dashboard cards — Course colors and display metadata
  4. Course announcements — Instructor announcements per course
  5. Student enrollments — Grades and enrollment status
  6. Activity stream — Recent submissions and updates
  7. Calendar events — Assignments and due dates

No write access is requested or used. Students cannot modify any Canvas data through Class Compass. All scopes are GET-only endpoints.

Security & Data Handling

Security is central to how Class Compass operates. Below is a detailed overview of our security practices for IT and compliance review.

OAuth 2.0 Standard Flow

Class Compass uses Canvas's official OAuth 2.0 authorization code flow. Students authorize via Canvas's own consent screen — we never see or handle Canvas passwords.

Token Encryption

All Canvas API tokens (access and refresh) are encrypted at rest using AES-256-GCM. Tokens are decrypted on-demand server-side only and are never exposed to the browser or client.

No Canvas Data Retention

Course data, grades, assignments, and announcements are fetched on-demand per session. Nothing is cached, stored, or retained on our servers.

CSRF Protection

OAuth state parameters are validated via httpOnly cookies to prevent cross-site request forgery during the authorization flow.

Automatic Token Refresh

Tokens refresh automatically before expiration. If a refresh fails, all stored credentials are wiped and the student must re-authorize.

Disconnect Anytime

Students can disconnect their Canvas account from settings at any time, which permanently deletes all stored credentials from our database.

Google OAuth for Authentication

We use Google SSO for user authentication — no passwords are stored in our system.

Server-Side Only

All Canvas API communication happens server-side. Tokens and educational data never touch the client or browser.

What Students Get

Class Compass provides a focused set of tools designed for daily student use:

  • Unified dashboard — All courses, grades, and teachers at a glance
  • Assignment calendar — Upcoming due dates from Canvas
  • Announcement feed — Course announcements in one place
  • AI-powered summaries — Optional announcement summarization (Pro tier)
  • Personal todo lists and quick links — Stored locally in browser, not on server
  • Background music — Ambient audio for study sessions
  • Clean, modern UI — Built for daily student use

Data Privacy Summary

  • Only Google name, email, and profile picture stored server-side
  • Canvas credentials encrypted with AES-256-GCM, never stored in plaintext
  • Canvas educational data is pass-through only — not stored or logged
  • Student todo lists and quick links stored in browser localStorage only
  • No data sold or shared with third parties for marketing
  • Students can disconnect Canvas and request full account deletion at any time
  • Full privacy policy available at /privacy

Integration Requirements

Setting up Class Compass for your institution requires minimal effort from your IT team:

  1. Create a Canvas Developer Key — Navigate to LMS Admin → Developer Keys in your Canvas instance.
  2. Set the redirect URI — Use https://classcompass.site/api/canvas/oauth/callback
  3. Enable “Enforce Scopes” — Check the Read only checkbox to select all read-only endpoints, or manually select only these 7 scopes:
    • url:GET|/api/v1/users/:user_id/profile
    • url:GET|/api/v1/courses
    • url:GET|/api/v1/dashboard/dashboard_cards
    • url:GET|/api/v1/announcements
    • url:GET|/api/v1/users/:user_id/enrollments
    • url:GET|/api/v1/users/self/activity_stream
    • url:GET|/api/v1/calendar_events
  4. Share credentials securely — Send us the Client ID and Client Secret through a secure channel.

That's it. No server installation, no LTI configuration, and no campus-wide rollout required. Individual students opt in on their own.

Get Started

Ready to bring Class Compass to your campus? Reach out and we'll walk you through the setup process.

Email: bp08262004@gmail.com

Privacy Policy · Terms of Service