Yes, this behavior is intentional and is due to Canvas' privacy settings and permissions model.
Privacy Settings in Canvas:
Canvas hides user email addresses by default unless the requesting user has the correct permissions. Admin users have broader access, so they can see emails, but regular users do not necessarily have permission to view their own or others' email addresses via the API.
Account-Level Settings:
Your Canvas instance may have settings that restrict email visibility for non-admin users. For example, Canvas administrators can configure whether email addresses are visible through the API under:
Admin > Settings > Security (or similar)
Scope of OAuth Tokens:
Even though you have disabled enforce scopes, Canvas still applies certain internal privacy rules. The email field might require additional permissions, such as Users - manage login details.
User Visibility & Role Permissions:
The visibility of user emails may also depend on the specific role settings under:
Admin > Roles & Permissions
Look for permissions related to "Users" or "Profile" and check if there are any restrictions on email visibility.
Check if an Additional Scope is Needed:
Some API fields are restricted unless the OAuth token includes additional permissions. Try explicitly requesting email access in the OAuth scope.
Try Querying profile Endpoint:
Instead of /api/v1/users/self, try querying:
GET /api/v1/users/self/profile
This endpoint sometimes includes the email address, depending on permissions.
Check public Attribute in User Settings:
Each user can set their email visibility under their Canvas profile settings. If emails are set to private, they may not appear in API responses.
Use Admin API Token (If Allowed):
If your app needs email addresses, you might need an admin API token or configure a service account with broader access.
Even with global developer key access, Canvas enforces privacy policies for regular users. You may need to adjust role permissions or request emails via a different endpoint (/profile) or with additional API scopes.
Would you like help testing specific API calls or adjusting Canvas settings?