Optimizing the authentication flow
Guidelines for creating a great authentication experience.
Apps can require users to authenticate with a third-party platform before gaining access to the app's features. This page contains some guidelines for creating a delightful authentication flow.

Let users sign up (or log into) an account

When a user starts the authentication flow, they should have the option to sign up for or log into an account with the third-party platform. Don't assume that the user already has (or doesn't have) an account.

Support authentication on non-desktop devices

A lot of people exclusively use Canva on non-desktop devices, such as smartphones. Knowing this, the authentication flow should be as delightful as possible on various hardware and screen resolutions.

Provide clear, actionable error messages

A lot of things can go wrong during an authentication flow, such as entering an incorrect password or trying to log in with a username that doesn't exist. To minimize frustration, provide clear error messages that explain what went wrong and how the user can fix it.

Avoid dead-ends and endless loops

Don't leave users stranded in an endless rabbit hole or stranded in an unfixable error state. Thoroughly test the authentication flow for edge-cases and make it easy for the user to eject from (or restart) the flow if something does go wrong.

Let users revoke their permissions

When a user authenticates, they must be able to revoke that authentication at any point in time. They must also have the option to re-authenticate with the same (or a different) account at a later point in time.

Provide a user-friendly Redirect URL

If a user starts an authentication flow on an iOS device, iOS shows them the domain name of the Redirect URL. If the Redirect URL is a strange-looking URL, like that of an AWS bucket, users may be hesitant to continue authenticating. For this reason, we require apps to have a Redirect URL that looks friendly and familiar.

Don't auto-subscribe users to marketing communication

During an authentication flow, apps must not opt users into marketing communications by default. At most, apps can allow users to opt into communications. Users must also be able to unsubscribe from communications at any time.
Last modified 1mo ago