Rotating LTI Pro credentials for Canvas

In May 2026, Instructure (Canvas Learning Management System), experienced a confirmed security incident. There is no evidence that Zoom's platform or data were affected. Because the LTI Pro credential is a shared token between Zoom and Canvas, it is recommended that all customers using Zoom LTI Pro with Canvas routinely rotate their LTI Pro credentials to bring your integration in line with Instructure's incident-response guidance.

The integration will continue to function normally until you begin the rotation process. Complete the rotation as soon as practical. The steps you'll follow depend on whether your institution uses LTI 1.3 or LTI 1.1.

Requirements for rotating LTI Pro credentials

• Admin access to the Zoom App Marketplace
• Admin access to your Canvas instance
• The Canvas domain(s) your users access the LMS from (for example, school.instructure.com or canvas.school.edu)
• Your existing Canvas LTI Developer Key for Zoom (LTI 1.3) or the External Tool configuration in Canvas (LTI 1.1)—you'll be updating it, not deleting it
• (LTI 1.3 only) Your Canvas Client ID (visible in Canvas under Admin > Developer Keys)

How to rotate LTI 1.3 credentials

The LTI 1.3 rotation process involves creating a new credential in Zoom and updating a single URL in Canvas. Expected end-user downtime is less than one minute, and the total process takes approximately 30 minutes.

Do not recreate the Canvas Developer Key from scratch. Doing so will break existing course placements and require you to reinstall the tool across all courses.

Step 1: Remove and reinstall the LTI Pro app in the Zoom App Marketplace

Uninstalling and reinstalling the LTI Pro app rotates the admin's token with Zoom (not the LTI credential itself). All configuration data is preserved for 7 days after uninstallation. Reinstalling within this window restores all your existing settings automatically.

1. Sign in to the Zoom App Marketplace as an admin.
2. Uninstall the LTI Pro app:
   1. In the top-right corner, click Manage.
   2. Under Admin app management, click Apps on account.
   3. Search for the LTI Pro app.
   4. To the right of the app, click the ellipsis icon.
   5. Click Settings.
   6. Click the Manage app tab.
   7. Click Remove.
   8. Confirm by clicking Remove App.
3. Reinstall the LTI Pro app:
   1. On the LTI Pro app page, click Add.
   2. Click Connect.
   3. Click Allow.
   4. Proceed to LTI 1.3 credential creation.

Step 2: Create a new LTI 1.3 credential in Zoom LTI Pro

After reinstalling the LTI Pro app, you will be directed to the Credential List, where you will create a new credential.

Do not delete the old credential yet; keep it visible so you can reference its settings.

1. Click Create a new credential.
   The Create a credential window will appear.
2. Enter a credential title, select LTI 1.3, and then click Save.
   A new credential with a new Login Initiation URL will be generated. The Login Initation URL is the only value you'll need to update in Canvas.
3. Proceed with configuring the approved domains and third-party credentials.

Step 3: Configure approved domains and third-party credentials in Zoom

After creating a new credential, you will be directed to the LTI Credentials information and settings.

1. In the new LTI 1.3 credential settings, locate the Approved Domains field and enter every Canvas domain your users access the LMS from.
2. At the top of the page, click the 3rd Party Credentials tab.
3. On the LTI Canvas tab, in the Instance list section, click Add Instance.
4. On the Add Instance window, enter the following information:
   • LTI Canvas Site Domain: Enter your Canvas site domain(s).
   • Developer ID and Developer Key: Enter your Canvas Developer ID and Developer Key.
   • Client ID: Enter the Client ID from your existing Canvas Developer Key. This key is available in Canvas (Admin > Developer Keys).
     Note: The Client ID is generated by Canvas and never changes. Always copy the current value shown in Canvas.
5. If your institution uses multiple Canvas domains, repeat steps 3-4 for each domain.
6. Proceed with adding the Login Initiation URL in Canvas.

Step 4: Update the Canvas Developer Key with the Login Initiation URL

The new Login Initiation URL was generated in the Create a new LTI 1.3 credential in Zoom LTI Pro section. The Login Initation URL is the only value you'll need to update in Canvas.

In Canvas, do not change the Redirect URIs, Target Link URI, Public JWK URL, or Client ID. Changing these values will break your integration.

1. In the new LTI 1.3 credential settings, copy the Login Initiation URL. The Login Initation URL is the only value you'll need to update in Canvas.
2. Sign in to Canvas.
3. Click Admin, then click Developer Keys.
4. Locate the existing Zoom LTI Developer Key.
5. In the OpenID Connect Initation URL field, paste the new Login Initiation URL you copied from Zoom LTI Pro.
   Warning: Do not change the Redirect URIs, Target Link URI, Public JWK URL, or Client ID. Changing these values will break your integration.
6. Save the changes.
7. Confirm that the Developer Key state is set to On.

Step 5: Verify the integration

1. Open a Canvas course that uses the Zoom LTI Pro integration.
2. Launch Zoom from the course navigation or a module to confirm the integration is working correctly.
3. (Optional) Proceed to the How to rotate optional integration credentials section if you also want to rotate credentials for optional integrations such as Canvas Calendar or the Phone app.

How to rotate LTI 1.1 credentials

The LTI 1.1 rotation process is simpler than LTI 1.3 because you can regenerate credentials directly in Zoom without creating a new credential. End-user downtime is less than one minute, and the total process takes approximately 15–20 minutes.

Do not delete and recreate the Canvas External Tool. Doing so will break existing course placements and require you to reinstall the tool across all courses.

Step 1: Remove and reinstall the LTI Pro app in the Zoom Marketplace

Uninstalling and reinstalling the LTI Pro app rotates the admin's token with Zoom (not the LTI credential itself). All configuration data is preserved for 7 days after uninstallation. Reinstalling within this window restores all your existing settings automatically.

1. Sign in to the Zoom App Marketplace as an admin.
2. Uninstall the LTI Pro app:
   1. In the top-right corner, click Manage.
   2. Under Admin app management, click Apps on account.
   3. Search for the LTI Pro app.
   4. To the right of the app, click the ellipsis icon.
   5. Click Settings.
   6. Click the Manage app tab.
   7. Click Remove.
   8. Confirm by clicking Remove App.
3. Reinstall the LTI Pro app:
   
   1. On the LTI Pro app page, click Add.
   2. Click Connect.
   3. Click Allow.
   4. Proceed with LTI 1.1 credential regeneration.

Step 2: Regenerate the LTI 1.1 secret in Zoom

After reinstalling the LTI Pro app, you will be directed to the Credential List, where you will regenerate your LTI 1.1 credential.

1. On the LTI Pro configuration page, locate your LTI 1.1 credential and click Edit.
2. Next to LTI Secret, click Regenerate.
   A new LTI Secret will be generated.
3. Copy the new LTI Key and LTI Secret.
4. Proceed with updating the Canvas External Tool configuration.

Step 3: Update the Canvas External Tool configuration

1. Sign in to Canvas.
2. Click Settings, then click Apps.
3. Locate your existing Zoom LTI 1.1 tool.
4. Update the Consumer Key and Shared Secret fields with the new values from Zoom LTI Pro.
5. Save the changes.
6. (Optional) Proceed to the How to rotate optional integration credentials section if you also want to rotate credentials for optional integrations such as Canvas Calendar or the Phone app.

How to rotate optional integration credentials

After completing the main credential rotation for LTI 1.3 or LTI 1.1, you can rotate credentials for the Canvas Calendar and Phone integrations as needed for additional security.

(Optional) Rotate Canvas Calendar credentials

1. Sign in to the Zoom App Marketplace as an admin.
2. In the top-right corner, click Manage.
3. Under Admin app management, click Apps on account.
4. Search for the LTI Pro app.
5. To the right of the app, click the ellipsis icon.
6. Click Configure.
7. Next to your LTI credential, click Edit.
8. Click the 3rd Party Credentials tab.
9. Rotate the Canvas Calendar API credentials.
   Note: Users will need to reauthorize their calendar access after this rotation is complete.

(Optional) Rotate Phone app credentials

The Zoom Phone app launches through LTI Pro, so rotating the LTI credential automatically secures the Phone integration as well. However, you can take the following additional precaution if desired.

1. Sign in to the Zoom App Marketplace.
2. Locate the Zoom Phone app in your added apps.
3. Remove and re-add the Phone app.

For questions about the underlying Instructure incident, refer to Instructure's status page or contact your Canvas administrator.