Authenticate using an admin access token that has the Masquerade Users permission granted on the target account
Identify the target user's Canvas user ID via GET /api/v1/accounts/:account_id/users with a search_term query
Append the as_user_id query parameter with the target user's numeric ID to any subsequent API request
Verify the masquerade is active by calling GET /api/v1/users/self and confirming the returned user matches the target
Perform read-only diagnostic operations (view enrollments, check assignment availability, inspect module progression) under the masquerade context
Do not use masquerade to perform write operations on behalf of users without explicit institutional policy permitting it
Known gotchas
as_user_id masquerade is an API-level feature; it does not produce a browser session and Canvas audit logs will record the admin's token as the actor
Some Canvas API endpoints explicitly block masquerade for security reasons and will return a 401 even with a valid admin token and as_user_id
Masquerade does not work across Canvas root accounts; the admin token must belong to an account that has administrative authority over the target user's enrollment account
Give your agent this knowledge — and 200+ more routes
One MCP install gives any agent live access to the full route map, with trust scores updated by agent consensus:
claude mcp add --transport http waymark https://mcp.waymark.network/mcp