Appearance
Authentication Setup SOP
How to configure authentication for Canva apps and Connect API integrations.
Apps SDK Authentication
Frictionless Authentication (Recommended)
The simplest auth flow — users authenticate automatically using their Canva identity:
typescript
import { auth } from "@canva/user";
const token = await auth.getCanvaUserToken();
// Send token to your backend for verificationOn your backend, verify the JWT:
javascript
import { createDesignTokenVerifier } from "@canva/app-middleware";
const verifier = createDesignTokenVerifier({ clientSecret: process.env.CANVA_CLIENT_SECRET });
app.use("/api", verifier);Manual OAuth
For when you need users to authenticate with your own service:
- Configure OAuth in
canva-app.json - Implement the redirect handler
- Exchange code for token on your backend
- Store tokens securely (never in localStorage)
Multi-Account OAuth
For apps that need to connect multiple accounts:
- Use
oauth.requestMultiAccount() - See the multi-account OAuth documentation
Connect API Authentication
Connect API uses standard OAuth 2.0 with PKCE for user-facing apps, or client credentials for server-to-server:
Client Credentials Flow (Server-to-Server)
bash
curl -X POST https://api.canva.com/rest/v1/oauth/token \
-d "grant_type=client_credentials" \
-d "client_id=YOUR_CLIENT_ID" \
-d "client_secret=YOUR_CLIENT_SECRET" \
-d "scope=asset:read design:read"Authorization Code Flow (User-Facing)
- Redirect to
https://www.canva.com/oauth2/authorize?... - Handle callback at your
redirect_uri - Exchange code at
POST /oauth/token - Store and refresh tokens as needed
Security Best Practices
- Never expose client secrets in frontend code
- Always verify JWTs on your backend
- Use short-lived tokens with refresh tokens
- Implement PKCE for public clients
- Rotate secrets periodically