Skip to content

Authentication Setup SOP

How to configure authentication for Canva apps and Connect API integrations.

Apps SDK Authentication

The simplest auth flow — users authenticate automatically using their Canva identity:

typescript
import { auth } from "@canva/user";

const token = await auth.getCanvaUserToken();
// Send token to your backend for verification

On your backend, verify the JWT:

javascript
import { createDesignTokenVerifier } from "@canva/app-middleware";

const verifier = createDesignTokenVerifier({ clientSecret: process.env.CANVA_CLIENT_SECRET });
app.use("/api", verifier);

Manual OAuth

For when you need users to authenticate with your own service:

  1. Configure OAuth in canva-app.json
  2. Implement the redirect handler
  3. Exchange code for token on your backend
  4. Store tokens securely (never in localStorage)

Multi-Account OAuth

For apps that need to connect multiple accounts:

  • Use oauth.requestMultiAccount()
  • See the multi-account OAuth documentation

Connect API Authentication

Connect API uses standard OAuth 2.0 with PKCE for user-facing apps, or client credentials for server-to-server:

Client Credentials Flow (Server-to-Server)

bash
curl -X POST https://api.canva.com/rest/v1/oauth/token \
  -d "grant_type=client_credentials" \
  -d "client_id=YOUR_CLIENT_ID" \
  -d "client_secret=YOUR_CLIENT_SECRET" \
  -d "scope=asset:read design:read"

Authorization Code Flow (User-Facing)

  1. Redirect to https://www.canva.com/oauth2/authorize?...
  2. Handle callback at your redirect_uri
  3. Exchange code at POST /oauth/token
  4. Store and refresh tokens as needed

Security Best Practices

  • Never expose client secrets in frontend code
  • Always verify JWTs on your backend
  • Use short-lived tokens with refresh tokens
  • Implement PKCE for public clients
  • Rotate secrets periodically

Canva Developer Documentation SOP Site