Learn how authentication works in Canva Apps.
This topic explains what authentication is and how it works.
These are some examples of apps that support authentication:
When a user opens an extension in an authentication-enabled app, they see a Connect button.
If the user clicks this button, a pop-up window appears and loads an authentication screen for a third-party platform.
The user can log in to or sign up for an account with the platform. (The exact authentication method is entirely dependent on the platform.)
Once the user authenticates:
- The pop-up window closes.
- The extension reloads.
- The user gains access to the extension’s content or options.
When Canva sends an HTTP request to an extension, the body of the request includes the ID of the current user. An extension uses this ID to check if it’s associated with a user in a third-party platform’s backend.
If the ID is associated with a user, it can load the extension with content or options specific to that user. For example, a content extension may only retrieve content belonging to that user.
If the ID is not associated with a user, the extension can render a Connect button, which, once the user clicks, begins the authentication flow. How an extension handles the authentication flow depends on the extension point. To learn more, see the extension-specific guides:
The authentication flow is:
- 1.A user clicks on the Connect button.
- 2.Canva opens a pop-up window and redirects them to the app’s Redirect URL. You can configure this URL via the Developer Portal.
- 3.The Redirect URL takes the user to a page that’s hosted on the third-party platform. This page must let users sign up for or log in to an account with the platform.
- 4.The user logs in at the redirect URL location.
- 5.Canva appends a
userparameter to the Redirect URL. This parameter contains the ID of the current Canva user. Canva uses this parameter to associate the user in Canva’s backend with the user in the platform’s backend.
- 6.The extension redirects the user back to Canva from within the pop-up window. This closes the pop-up window and reloads the extension.
- 7.Once again, the extension receives a request that contains the ID of the user. Since this user is now associated with a user in the platform’s backend, it can load with content or options specific to that user.
Canva’s platform is designed to support all methods of authentication, so it doesn’t matter how users sign up or log in via the pop-up window, but some common methods include:
- Username and password
- OAuth 2.0
- QR codes
- You can only enable authentication for an entire app, not an individual extension.
- The ID of the user is obfuscated and unique to each app. If the same user authenticates with a different app, their ID is different.
- The ID of the user is unique to each team. If a user switches to a different team and uses the same app, their ID is different.