Disconnecting users

How to disconnect a user from an app.

After a user connects (installs) an app, they can disconnect (uninstall) it:

When a user disconnects an app, the app should de-authenticate the user from any platforms they're authenticated with. If they reconnect the app at a later time they should have to re-authenticate.

This offers a couple of benefits:

  • Users can change the account they're authenticated with.
  • Users feel more secure in how their data is handled.

Handling disconnection requests

When a user disconnects an app, Canva sends a POST request to the following endpoint:


<authentication_base_url> is a placeholder for the app's Authentication base URL. You can configure this URL in the Developer Portal, via the app's Add authentication page.

The ID of the user is included in the body of the request, via the user property. The backend can use this ID to determine which user to disconnect from the app.

The following snippet is a minimal example of how to handle these requests:

app.post("/configuration/delete", async (req, res) => {
// Get the user's ID from the request body
const { user } = req.body;
// Load the database
const data = await db.read();
// Remove the user from the database
await db.write({
users: data.users.filter((userId) => userId !== user),
// Confirm that the user was removed
type: "SUCCESS",

The exact process of how an app de-authenticates a user depends on how it authenticated them in the first place, such as toggling an is_authenticated property in the "users" table of a database.

Once the user is disconnected, the app must respond with a 200 status code and the following object:

"type": "SUCCESS"

This confirms to Canva that the user was successfully de-authenticated.