You can configure apps to remember user data, whether by using the
auth.getCanvaUserToken API or connecting with a third-party platform. This functionality is typically used to make certain features and content available only to users who authenticate or to only a subset of users. This page contains some guidelines for creating a delightful authentication flow.
Authentication in your app's workflow
Canva is a visual design platform with users who want to experience an app and quickly and easily see its value.
Manual authentication (creating a log in pop-up) can be a way to place users' content behind a gate, so it could be considered helpful to implement it as part of your app's workflow. However, requiring a user to log in before they can see as much function as possible can be enough to deter them from continue using your app.
There's many variations of authentication workflows, but some examples can produce a better experience for your users and in turn can lead to more usage of your app. For example, if your app requires the user to log in just so that you can see data about who is using your app, consider using user tokens instead of a log in requirement.
Where appropriate and relevant, we recommend you use the following list as an order of preference. The higher on this list your app falls translates to a better user experience, which in turn translates to more users of your app.
- All functions are available to the user. No authentication.
- All functions are available to the user, regardless if the user authenticates.
- Some functions of the app are available to the user, but they can still complete a basic workflow. The user must log in to use the other functions.
- Some functions of the app are available to the user to test the app, but they cannot complete a workflow. The user must log in to complete the workflow.
- No functions of the app are available to the user unless they authenticate.
Authentication and the Apps Marketplace
An app can quickly and easily show its usefulness to a user by being promoted within the Apps Marketplace, such as inclusion in the "Featured apps" section.
However, an app is not eligible to be "Featured" unless a user can test functionality before manual authentication occurs in the workflow. This means that only apps that have no authentication or those that include a timed or per-use trial can be featured apps.
Tracking user numbers without authentication
As an alternative to manual authentication, the
auth.getCanvaUserToken API exists to track users before they complete any authorization. Each user is assigned a unique ID, which you can use to track app usage without needing a user to sign in.
Authentication flow guidelines
- Where possible, make the app usable and useful before the user has to authenticate. Give them a chance to benefit from the app as quickly and as seamlessly as possible.
- Authentication flows must occur in the authentication pop-up window, not within the app's iframe — that is, sign up and login forms should only appear in the pop-up window.
- Start an authentication flow by calling the
requestAuthenticationmethod. This will display a screen with a Connect button. Do not show redundant authentication screens before this screen or attempt to bypass the standard authentication flow.
- Prevent users from arriving at dead-ends or becoming stuck in endless loops.
- Support non-desktop devices, such as mobile phones and tablets.
- Do not auto-subscribe users to marketing content — all marketing material must be opt-in.
- If the same user installs the same app under different teams, require them to authenticate separately for each team — do not automatically authenticate the user.
- When a user disconnects (uninstalls) the app, delete the connection between the app and the third-party platform. If the user reconnects the app, they should be required to re-authenticate.
- For the pop-up page, use the
titleHTML element to set a meaningful title on the authentication's pop-up window.
- Provide clear and actionable error messages.
- Ensure that the redirect URL appears familiar and friendly — that is, not like a phishing threat.
- Provide options for both signing up for and logging in to the platform.
Suggested copy for authentication flows
There can be many scenarios to consider when building an authentication flow. You are free to make your own copy to communicate authentication flows. Alternatively, to speed up your development, we've provided some suggested copy that you can use
|Password is incorrect||Forgot password?|
|No email found||We couldn’t find that account. Try a different email or sign up.|
|One or all of the credentials are invalid||We couldn’t find that account. Try logging in a different way or sign up.|
|User needs to reset password||For your security, we’ve emailed your a link to reset your password.|
|Too many failed login attempts||Too many attempts. Please try again in X minute(s).|
|Password reset link expired or used already||Looks like you need a new password reset link.|
|User already has an account||Looks like you have an account already! Log in.|
|Not all form fields complete||Not quite done yet...|
|Incomplete fields||You missed this one|
|Passwords don’t match||Those passwords don’t match|
|Invalid password– doesn’t meet criteria||Use 8 or more characters with a mix of letters, numbers, and symbols.|