Test signature verification

Check if your app is correctly verifying request signatures.

If your app has extensions that require signature verification, you must implement the verification and test that it's working before submitting your app. You can do this via the Developer Portal.

The signature verification test automatically runs after opening the Submit for review page.

Running the test

To test your app's signature verification:

  1. Navigate to an app via the Developer Portal.

  2. Select Verification.

  3. Select Run signature verification test.

You can re-run the test as often as needed.

If an app only has extensions that don't need signature verification, the Run signature verification test button is disabled and running the tests is not required.

Understanding the results

After running the test, a table appears with a list of the endpoints that the app might support. This list is based on the extensions added to the app.

Supported tests

For each endpoint, Canva runs the following tests:

Invalid signature

Canva sends a request to the endpoint with an invalid signature. This happens when someone other than Canva sends requests to your app. The endpoint must reject the request.

Invalid timestamp

Canva sends two requests to the endpoint with invalid timestamps. One of these timestamps is too far in the past, while the other is too far in the future. This happens during a replay attack. The endpoint must reject both requests.

Mixed valid/invalid signatures

Canva sends a request to the endpoint with a comma-separated list of signatures, only one of which is valid. This happens when you regenerates your app's client secret. The endpoint must accept the request.

Status codes

For each test, Canva shows the following status codes:

  • Expected - The status code that Canva expects to receive from the endpoint.

  • Received - The status code that Canva actually received from the endpoint.

When the Expected value matches the Received value, the test passes.

404 status codes

For some tests, the 404 status code is valid. This is because some endpoints are sometimes optional. For example, a publish extension that uses the Basic layout doesn't support the following endpoints:

  • /publish/resources/find

  • /publish/resources/get

But these endpoints still appear in the signature verification test, regardless of how the extension is configured. Other endpoints, such as /editing/image/process/get are always optional, so a 404 status code is always valid.