When we install Design Tools we require you to create a developer key inside Canvas. You set up the key using information Cidi Labs supplies (key name, developer email, redirect URI's, icon URL, etc.) and then provide us with the key and secret. We encrypt and store the dev key for use by the Design Tools LTI tools (Multi-Tool, Upload/Embed Image Tool and the Installation tool). 

The dev key can only be used from the 3 URLs that we have you enter into the Redirect URIs field when creating the dev key. It is used to generate an OAuth token when a user authorizes the LTI tools. The OAuth token is encrypted and stored in the database but is only good for about an hour. If expired, a new request has to go out to Canvas using a refresh token that requests a new OAuth token. That new request must also use the dev key credentials and come from one of the 3 URLs specified at set up. Users can revoke their authorization at any time by going to their user settings and removing “Design Tools” from their Approved Integrations inside Canvas.