To test your app's signature verification:
Navigate to an app via the Developer Portal.
Select Run signature verification test.
You can re-run the test as often as needed.
After running the test, a table appears with a list of the endpoints that the app might support. This list is based on the extensions added to the app.
For each endpoint, Canva runs the following tests:
Canva sends a request to the endpoint with an invalid signature. This happens when someone other than Canva sends requests to your app. The endpoint must reject the request.
Canva sends two requests to the endpoint with invalid timestamps. One of these timestamps is too far in the past, while the other is too far in the future. This happens during a replay attack. The endpoint must reject both requests.
Canva sends a request to the endpoint with a comma-separated list of signatures, only one of which is valid. This happens when you regenerates your app's client secret. The endpoint must accept the request.
For each test, Canva shows the following status codes:
Expected - The status code that Canva expects to receive from the endpoint.
Received - The status code that Canva actually received from the endpoint.
When the Expected value matches the Received value, the test passes.
For some tests, the
404 status code is valid. This is because some endpoints are sometimes optional. For example, a publish extension that uses the Basic layout doesn't support the following endpoints:
But these endpoints still appear in the signature verification test, regardless of how the extension is configured. Other endpoints, such as
/editing/image/process/get are always optional, so a
404 status code is always valid.