App development
App development
Developer Portal
Create a support ticket
Overview
Quick start
Changelog
Platform concepts
Apps
Extensions
Regions
Authentication
Extension points
Content extensions
Editing extensions
Publish extensions
Frontend development
Assets
Development URL
Error handling
Localization
Notifications
Rich controls
JSX
WebGL
Backend development
Base URL
Signature verification
Client secret
Verify POST request signatures
Verify GET request signatures
Verify timestamp
Test signature verification
SDKs
Distribution
UX guidelines
Submission checklist
Client API
CanvaApiClient
CanvaDataType
CanvaElement
CanvaElementLayout
CanvaImageBlob
CanvaImageHelpers
CanvaImageUrl
CanvaMedia
init
Server API
Overview
GET /apps/configured
POST /configuration
POST /configuration/delete
POST /content/resources/find
POST /editing/image/process
POST /editing/image/process/get
POST /publish/resources/find
POST /publish/resources/get
POST /publish/resources/upload
Redirect URL
Reference
Locales
Powered by GitBook

Test signature verification

Check if your app is correctly verifying request signatures.

If your app has extensions that require signature verification, you must implement the verification and test that it's working before submitting your app. You can do this via the Developer Portal.

The signature verification test automatically runs after opening the Submit for review page.

Running the test

To test your app's signature verification:

  1. Navigate to an app via the Developer Portal.

  2. Select Verification.

  3. Select Run signature verification test.

You can re-run the test as often as needed.

If an app only has extensions that don't need signature verification, the Run signature verification test button is disabled and running the tests is not required.

Understanding the results

After running the test, a table appears with a list of the endpoints that the app might support. This list is based on the extensions added to the app.

Supported tests

For each endpoint, Canva runs the following tests:

Invalid signature

Canva sends a request to the endpoint with an invalid signature. This happens when someone other than Canva sends requests to your app. The endpoint must reject the request.

Invalid timestamp

Canva sends two requests to the endpoint with invalid timestamps. One of these timestamps is too far in the past, while the other is too far in the future. This happens during a replay attack. The endpoint must reject both requests.

Mixed valid/invalid signatures

Canva sends a request to the endpoint with a comma-separated list of signatures, only one of which is valid. This happens when you regenerates your app's client secret. The endpoint must accept the request.

Status codes

For each test, Canva shows the following status codes:

  • Expected - The status code that Canva expects to receive from the endpoint.

  • Received - The status code that Canva actually received from the endpoint.

When the Expected value matches the Received value, the test passes.

404 status codes

For some tests, the 404 status code is valid. This is because some endpoints are sometimes optional. For example, a publish extension that uses the Basic layout doesn't support the following endpoints:

  • /publish/resources/find

  • /publish/resources/get

But these endpoints still appear in the signature verification test, regardless of how the extension is configured. Other endpoints, such as /editing/image/process/get are always optional, so a 404 status code is always valid.

Previous
Verify timestamp
Next - Backend development
SDKs
Last updated 1 day ago
Contents
Running the test
Understanding the results
Supported tests
Status codes
404 status codes