App development
Create an appCreate a support ticket
Search…
Overview
Quick start
Changelog
Platform concepts
Apps
Extensions
Regions
Authentication
Deprecation policy
Extensions
Content extensions
Editing extensions
Publish extensions
Frontend development
Assets
Development URL
Error handling
Localization
Notifications
Rich controls
JSX
WebGL
Backend development
Base URL
Continuation
Signature verification
SDKs
Distribution
UX guidelines
Submission checklist
Creating the App Directory listing
Client API
EditingExtensionClient.API
CanvaDataType
CanvaElement
CanvaElementLayout
CanvaImageBlob
CanvaImageHelpers
CanvaImageUrl
CanvaMedia
init
Server API
Overview
GET /apps/configured
POST /configuration
POST /configuration/delete
POST /content/resources/find
POST /editing/image/process
POST /editing/image/process/get
POST /publish/resources/find
POST /publish/resources/get
POST /publish/resources/upload
Redirect URL
Reference
Locales
Powered By GitBook
POST /configuration
API reference for the "/configuration" endpoint.
If an app supports authentication and has a publish extension, Canva sends a POST request to the following endpoint when a user opens the extension:
1
<authentication_base_url>/configuration
Copied!
The purpose of this request is to check if the user is authenticated with the destination platform.
If the user is authenticated, the extension continues to load. If the user is not authenticated, Canva renders a Connect button. The user can click this button to start the authentication flow.
To learn more, refer to Authentication.

Notes

  • Extensions must respond to this request within 8 seconds.
  • When sending this request, Canva replaces <authentication_base_url> with the app's Authentication base URL. You can configure the Authentication base URL via the app's Authentication page.

Request

Endpoint

1
POST <authentication_base_url>/configuration
Copied!

Headers

Property
Type
Required
Description
X-Canva-Signatures
string
Yes
A comma-separated list of request signatures. The name of this header is sometimes lowercase (e.g. x-canva-signatures).
X-Canva-Timestamp
string
Yes
The UNIX timestamp (in seconds) of when Canva sent the request. The name of this header is sometimes lowercase (e.g. x-canva-timestamp).

Body

Properties

Property
Type
Required
Description
user
string
Yes
The ID of the user.
brand
string
Yes
The ID of the user's team.

Example

1
{
2
"user": "<user>",
3
"brand": "<brand>"
4
}
Copied!

Responses

200 - Success (user is authenticated)

The response the app provides when the user is authenticated with the destination platform.

Properties

Property
Type
Required
Description
type
"SUCCESS"
Yes
The type of response.
labels
array
Yes
The extension points the user has authenticated with.

Example

1
{
2
"labels": [],
3
"type": "SUCCESS"
4
}
Copied!

200 - Error (user not authenticated)

The response the app provides when the user is not authenticated with the destination platform.

Properties

Property
Type
Required
Description
type
"ERROR"
Yes
The type of response.
errorCode
"CONFIGURATION_REQUIRED"
Yes
An error code that describes what went wrong.

Example

1
{
2
"type": "ERROR",
3
"errorCode": "CONFIGURATION_REQUIRED"
4
}
Copied!

200 - Error (other)

The response the app provides when an error occurs.

Properties

Property
Type
Required
Description
type
"ERROR"
Yes
The type of response.
errorCode
string
Yes
An error code that describes what went wrong. Enum: "FORBIDDEN", "INTERNAL_ERROR", "INVALID_REQUEST", "NOT_FOUND", "TIMEOUT"

Example

1
{
2
"type": "ERROR",
3
"errorCode": "<error_code>"
4
}
Copied!

401 - Invalid request signature or timestamp

An extension must verify the request signature and timestamp of all incoming requests. When an extension can't verify either of these values, it must reject the request with a 401 status code.
Server API - Previous
GET /apps/configured
Next - Server API
POST /configuration/delete
Last modified 6mo ago
Copy link
Contents
Request
Endpoint
Headers
Body
Responses
200 - Success (user is authenticated)
200 - Error (user not authenticated)
200 - Error (other)
401 - Invalid request signature or timestamp