Instructure/Canvas Security Incident — FAQ

Last updated: May 11, 2026

This page addresses questions from institutional partners about Hypothesis’s exposure to the security incident affecting Instructure (parent company of Canvas). For direct inquiries, contact your Customer Success Manager or security@hypothes.is.

For information on Hypothesis’s overall security program, see our Security page, which links to our HECVAT, SOC compliance documentation, TX-RAMP, and CAIQ assessment.

Status

Has Hypothesis been breached?

No. Hypothesis systems are operating normally, and we have no indication of compromise. Our engineering team has reviewed our environment in light of the Instructure incident and continues to monitor for any indicators that emerge from Instructure’s ongoing investigation.

Is Hypothesis still operational?

Yes. The Hypothesis service, including all annotation data, is operating normally. Institutions that have temporarily disabled Canvas access will not be able to launch Hypothesis assignments through Canvas during that period, but Hypothesis itself remains available, and all annotation data is intact.

How Hypothesis Connects to Canvas

What’s the difference between how Hypothesis uses LTI and OAuth?

Hypothesis uses two distinct standards-based mechanisms to integrate with Canvas, each serving a different purpose:

LTI 1.3 is used for assignment launches. When a student or instructor opens a Hypothesis assignment in Canvas, Canvas sends a signed, time-limited identity claim (a JWT) to Hypothesis containing the user’s name, email, Canvas user ID, course, and role. This is how Hypothesis authenticates users entering from Canvas. LTI is used by every Canvas-Hypothesis integration.

OAuth 2.0 is used only for optional API-based features such as the Canvas file picker, course sections, and group support. When an institution enables these features, Canvas administrators create a Developer Key inside their own Canvas instance and provide the credentials to Hypothesis. Users then complete a standard OAuth consent flow to authorize Hypothesis to make scoped API calls to Canvas on their behalf. Institutions that don’t use these features don’t go through OAuth.

Are these credentials shared between institutions?

No. Each institution creates and controls its own Canvas Developer Key for OAuth, and each LTI 1.3 deployment is configured per institution. Hypothesis does not maintain shared service accounts or backdoor credentials with Instructure.

Data and Architecture

What Canvas data does Hypothesis store?

Hypothesis stores only the Canvas data needed to operate the integration:

  • From LTI launches (all institutions): user names, email addresses, Canvas user IDs, and course/role context.
  • From OAuth API calls (institutions using OAuth-based features only): section and group memberships, retrieved at the time the data is needed to support features like SpeedGrader or group assignments.

This data is a subset of what already resides in your institution’s Canvas instance. Hypothesis does not store Canvas passwords, financial information, dates of birth, or government identifiers.

Where is Hypothesis annotation data stored?

Annotation data and other user-generated content created in Hypothesis are stored in Hypothesis-managed infrastructure. None of this content is stored in Instructure’s systems.

Does the data Hypothesis holds represent additional exposure beyond the Instructure incident?

The user-identifying data Hypothesis stores is a subset of data that already resides in your institution’s Canvas instance and was within the scope of the Instructure incident. Hypothesis itself was not breached.

Authentication and Credentials

How does Hypothesis authenticate to Canvas?

For LTI 1.3, authentication uses signed JWTs exchanged through the LTI 1.3 protocol with key pairs configured by your Canvas administrators. For OAuth API access, Hypothesis uses standard OAuth 2.0 with a Developer Key your institution generates inside its own Canvas instance.

What about the user-level OAuth tokens Hypothesis holds?

For institutions using OAuth-based features, Hypothesis stores per-user OAuth access and refresh tokens issued through the standard Canvas OAuth flow. These tokens are scoped to the permissions your institution granted via your Developer Key and follow Canvas’s OAuth expiration and rotation behavior. Our engineering team is monitoring the integration for any anomalous activity and is prepared to take additional precautionary action, including token invalidation, if warranted.

Can our institution revoke Hypothesis’s access?

Yes. Both the LTI 1.3 deployment and the Canvas Developer Key (for OAuth) are managed by your Canvas administrators inside your own Canvas instance and can be disabled or revoked at any time.

Canvas API Usage

What Canvas APIs does Hypothesis call?

For institutions using OAuth-based features, Hypothesis accesses a limited set of Canvas API endpoints to support file picking, sections, groups, Pages, and SpeedGrader. The full list is documented publicly in our integration documentation. Endpoint access is governed by the OAuth scopes granted by your institution’s Developer Key.

 

What Customers Should Do

Does our institution need to take any action?

No Hypothesis-side action is required. If your institution has temporarily disabled Canvas, Hypothesis assignments will be unreachable through that route until Canvas is restored — annotation data remains intact and will be accessible normally once Canvas is back online.

If your security team would like to revoke and reissue your Canvas Developer Key as a precaution, Hypothesis can support you through the reinstallation process. Contact your CSM to coordinate.

Will Hypothesis send updates if the situation changes?

Yes. We will update institutional partners directly if any new information materially affects this assessment, and will refresh this page as the situation develops.

Contact