When an app starts an authentication flow, Canva opens a popup window:
Within this window, Canva redirects the user to the app's Redirect URL. (This URL can be configured in the Developer Portal, via the Add authentication page.)
The Redirect URL should point to a page that lets users authenticate via a third-party platform. For example, this could be a login form with a username and password or the start of an OAuth 2.0 authorization flow.
It's worth noting that Canva doesn't care how users authenticate. The app controls the specific implementation details. Canva only cares how the app starts and ends the authentication flow.
Query parameters
When redirecting users to the Redirect URL, Canva appends the following query parameters to the URL:
- brand
- extensions
- signatures
- state
- time
- user
All of these parameters serve a purpose, but the user and state parameters are particularly important.
user
The user parameter contains the ID of the user. Your app can use this ID to create a mapping between the user's account on Canva and the user's account on a third-party platform.
For example, if a platform has a users table in their database, it could add a canvaUserId column. If the user logs in, the platform could save the user's Canva ID to this column. On return visits, the app could determine if the user is authenticated by checking if a mapping exists.
A more sophisticated approach would be to generate an access token, such as a JSON Web Token (JWT), that encodes information about the user's authentication status and their exact privileges.
state
The state parameter contains a token that is unique to each authentication flow. An app must temporarily store this token and return it to Canva at the end of the flow. This protects against CSRF attacks.