While creating an integration, you may encounter the following Forbidden (403) error:
This error can occur for a few different reasons.
A user can only edit a design that they created. If you call the method to edit a design and pass through an ID of a design not created by the current user, Canva responds with a
By default, Canva Button API keys are locked to the following domains:
If you try to use a Canva Button API key from other domains, Canva blocks the request and responds with a
403 error. To learn how to add other domains to Canva's allowlist, refer to Adding domains to the allowlist.
Because of domain restrictions, it's not possible to add the Canva Button to an HTML file on your local machine and open that file in a web browser. You need to serve the HTML file via
localhost. To learn how to develop locally with the Canva Button, refer to Local development.
When an integration loads, the request that's sent to Canva must include the
Referer HTTP header. Canva uses the
Referer header to identify if the integration's domain is on the allowlist.
Sometimes though, the
Referrer-Policy header is set to a value that prevents Canva from receiving the
Referrer-Policy: no-referrerReferrer-Policy: no-referrer-when-downgrade
As a result, Canva can't confirm if the origin domain is on the allowlist and blocks the request, causing the 403 error.
To fix this problem, Canva recommends setting the
Referrer-Policy header to the
strict-origin-when-cross-origin header. This ensures that the origin is sent with cross-origin requests, which allows Canva to verify if the origin domain is on the allowlist.
For more information, refer to Referrer-Policy.