Apps can require users to authenticate with a third-party platform before gaining access to the app's features. This page contains some guidelines for creating a delightful authentication flow.
When a user starts the authentication flow, they should have the option to sign up for or log into an account with the third-party platform. Don't assume that the user already has (or doesn't have) an account.
A lot of people exclusively use Canva on non-desktop devices, such as smartphones. Knowing this, the authentication flow should be as delightful as possible on various hardware and screen resolutions.
A lot of things can go wrong during an authentication flow, such as entering an incorrect password or trying to log in with a username that doesn't exist. To minimize frustration, provide clear error messages that explain what went wrong and how the user can fix it.
Don't leave users stranded in an endless rabbit hole or stranded in an unfixable error state. Thoroughly test the authentication flow for edge-cases and make it easy for the user to eject from (or restart) the flow if something does go wrong.
When a user authenticates, they must be able to revoke that authentication at any point in time. They must also have the option to re-authenticate with the same (or a different) account at a later point in time.
If a user starts an authentication flow on an iOS device, iOS shows them the domain name of the Redirect URL. If the Redirect URL is a strange-looking URL, like that of an AWS bucket, users may be hesitant to continue authenticating. For this reason, we require apps to have a Redirect URL that looks friendly and familiar.
During an authentication flow, apps must not opt users into marketing communications by default. At most, apps can allow users to opt into communications. Users must also be able to unsubscribe from communications at any time.