Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-chrischall-canvas-parent-mcp": {
"args": [
"-y",
"canvas-parent-mcp-qr-login"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
MCP server for Canvas LMS (Instructure), scoped for parent observers and student self-access. Targets https://cms.instructure.com by default but works against any Canvas instance.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y 'canvas-parent-mcp-qr-login' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked canvas-parent-mcp-qr-login against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / productivity
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
An autonomous agent that conducts deep research on any data using any LLM providers
🌊 The leading agent orchestration platform for Claude. Deploy intelligent multi-agent swarms, coordinate autonomous workflows, and build conversational AI systems. Features enterprise-grade architecture, distributed swarm intelligence, RAG integration, and native Claude Code / Codex Integration
MCP Security Weekly
Get CVE alerts and security updates for io.github.chrischall/canvas-parent-mcp and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
MCP server for Canvas LMS (Instructure), scoped for parent observers and student self-access. Targets https://cms.instructure.com by default but works against any Canvas instance.
Mirrors the read-only parent-portal scope of sibling infinitecampus-mcp. Users interact via the canvas_* tool prefix.
18 tools across profile, observees, courses, assignments, submissions, grades, calendar, planner, announcements, conversations, discussions, and files.
| Domain | Tools |
|---|---|
| Profile | canvas_get_profile |
| Observees | canvas_list_observees |
| Courses | canvas_list_courses, canvas_get_course |
| Assignments | canvas_list_assignments, canvas_list_missing_submissions |
| Submissions | canvas_get_submission, canvas_list_recent_submissions (default 14d window) |
| Grades | canvas_list_enrollments |
| Calendar | canvas_list_calendar_events, canvas_list_upcoming_events |
| Planner | canvas_list_planner_items |
| Announcements | canvas_list_announcements |
| Conversations | canvas_list_conversations, canvas_get_conversation |
| Discussions | canvas_list_discussion_topics |
| Files | canvas_list_course_files, canvas_download_file |
Tools that the harness will gate as write/IO operations: canvas_download_file.
Set CANVAS_BASE_URL plus one of four auth modes. canvas-parent-mcp tries them in priority order:
CANVAS_TOKEN → personal access tokenCANVAS_CLIENT_ID + CANVAS_CLIENT_SECRET + CANVAS_REFRESH_TOKEN → OAuthCANVAS_USERNAME + CANVAS_PASSWORD → session-scrape (direct Canvas accounts only)canvas_session + pseudonym_credentials cookies from your signed-in Canvas tab via the fetchproxy browser extensionIf none succeed, you get an error that names every escape hatch.
CANVAS_BASE_URL=https://cms.instructure.com
Install the fetchproxy 0.3.0 Chrome / Safari extension (Chrome Web Store / Safari .dmg), sign into your Canvas instance once, and the MCP reads your session cookies at startup. After that, all Canvas API calls go directly from Node — the extension is not in the request hot path. Works with any auth flow (SSO/SAML/2FA included) because Canvas itself handled the sign-in.
Multiple districts? Declared domain instructure.com matches every *.instructure.com host, so you only pair the extension once. The MCP uses whichever district you set in CANVAS_BASE_URL.
Set CANVAS_DISABLE_FETCHPROXY=1 to opt out (missing creds become a hard error — useful in headless CI).
CANVAS_BASE_URL=https://cms.instructure.com
CANVAS_USERNAME=me@example.com
CANVAS_PASSWORD=your-canvas-password
CANVAS_NAME=cms # optional, defaults to host portion of base URL
Direct Canvas accounts only — won't work with SAML/Google/Microsoft SSO or 2FA. Brittle (breaks on every Canvas login-page restyling). Prefer fetchproxy if your tab is already signed in. Treat .env like a password file.
CANVAS_BASE_URL=https://cms.instructure.com
CANVAS_TOKEN=your-personal-access-token
Generate via Canvas → Account → Settings → "+ New Access Token". Most institutions have disabled this for non-admins.