Print Partnership
Developer PortalCanva Helpdesk
Search…
Overview
Quick start
Stay up to date
Release notes
Deprecated and obsolete features
Canva status
Concepts
Evaluating Canva
Authentication
Credentials
Product catalog
Proofing
Security
User journey
Tutorial
Getting started
Set up a web server
Initialize the Partnership SDK
Show the product catalog
Calculate an autoAuthToken
Create a new design
Preview the user's artwork
Purchase the user's artwork
How-to guides
Anonymous editing
Customize export settings
Customize the "Publish" button
Edit designs
Handle page refreshes
Request for translation
Resize designs
Resize designs with Magic Resize
Set up multiple product catalogs
Show campaign templates
Support mobile devices
Use a custom landing page
Distribution
Pre-launch checklist
Troubleshooting
Forbidden (403)
Support
General support
Incident response process
JavaScript API
createDesign
editDesign
initialize
onArtworkCreate
onBackClick
onDesignClose
onDesignOpen
onDesignSelect
onMultiArtworkCreate
onProductSelect
showCatalog
REST API
Delete a user
Purchase an artwork
Restore a user
Reference
Export settings
Glossary
Locales
Powered By GitBook
Forbidden (403)
While creating an integration, you may encounter the following Forbidden (403) error:
This error can occur for a few different reasons.

Design permissions

A user can only edit a design that they created. If you call the editDesign method and pass through a designId of a design not created by the current user, Canva responds with a 403 error.

Domain restrictions

By default, an integration's API keys are locked to the following domains:
  • canva.com
  • localhost
If requests don't originate from these domains, Canva responds to the requests with a 403 error.
To use the API keys from other domains, you need to request Canva to add the domains to the allowlist.
To raise a request:
  1. 1.
    Navigate to the Canva Helpdesk.
  2. 2.
    Select Integration support.
  3. 3.
    In the Domains field, list the other domains.

Referrer-Policy HTTP header

When an integration loads the product catalog, the request that's sent to Canva must include the Referer HTTP header. Canva uses the Referer header to identify if the integration's domain is on the allowlist.
Sometimes though, the Referrer-Policy header is set to a value that prevents Canva from receiving the Referer header:
1
Referrer-Policy: no-referrer
2
Referrer-Policy: no-referrer-when-downgrade
Copied!
As a result, Canva can't confirm if the origin domain is on the allowlist and blocks the request, causing the 403 error.
To fix this problem, we generally recommend setting the Referrer-Policy header to the strict-origin-when-cross-origin header. This ensures that the origin is sent with cross-origin requests, which allows Canva to verify if the origin domain is on the allowlist.
For more information, refer to Referrer-Policy.

Invalid autoAuthToken

When initializing the Partnership SDK, an integration needs to provide an autoAuthToken:
1
(async () => {
2
const api = await Canva.Partnership.initialize({
3
apiKey: "<api_key>",
4
autoAuthToken: "<auto_auth_token>",
5
container: document.getElementById("container"),
6
});
7
})();
Copied!
If this token is invalid, Canva responds with a 403 error.
These are some reasons why an autoAuthToken might be invalid:

Calculating a token with incorrect values

When calculating a token, double-check the following values
  • The integration's Partner API key.
  • The integration's Partner API secret.
  • The ID of the end user (that is, the ID of the partner's customer).
  • The "issued at" time of the token as a UNIX timestamp (in seconds).
  • The "expires at" time of the token as a UNIX timestamp (in seconds).
Are the values accurate? Are they of the correct type?

Calculating a token with mismatched credentials

Verify that the Partner API key and Partner API secret are for the same environment. You can't, for instance, calculate a token using the "production" API key and the "test" API secret.
Partners are charged for their API usage when using the "production" API keys, so be sure to only use "test" API keys during the development and testing phase. To learn more, refer to Credentials.

Calculating a token with an "issued at" time that's in the future

There is some leniency, as it's possible for server clocks to not be perfectly synchronized, but the "issued at" time should be as accurate as reasonably possible.

Calculating a token with an "expires at" time that's more than 12 hours in the future

The Partnership SDK requires autoAuthTokens to expire in 12 hours or less.

Calculating more than 5 tokens from the same IP in under an hour

You can't calculate more than 5 autoAuthTokens from the same IP address in under an hour. If end users are returning to an integration more than 5 times per hour, you can avoid reaching this limit by saving the autoAuthToken in a cookie or via local storage.
Distribution - Previous
Pre-launch checklist
Next - Support
General support
Last modified 11mo ago
Export as PDF
Copy link
Contents
Design permissions
Domain restrictions
Referrer-Policy HTTP header
Invalid autoAuthToken
Calculating a token with incorrect values
Calculating a token with mismatched credentials
Calculating a token with an "issued at" time that's in the future
Calculating a token with an "expires at" time that's more than 12 hours in the future
Calculating more than 5 tokens from the same IP in under an hour