Guidelines for authenticating users.

You can configure apps to remember user data, whether by using the auth.getCanvaUserToken API or connecting with a third-party platform. This functionality is typically used to make certain features and content available only to users who authenticate, or to only a subset of users. This page contains some guidelines for creating a delightful authentication flow.

Canva is a visual design platform with users who want to experience an app and quickly and easily see its value.

Manual authentication (creating a login pop-up) can be a way to place users' content behind a gate, so it could be considered helpful to implement it as part of your app's workflow. However, requiring a user to log in before they can see as much function as possible can be enough to deter them from continuing to use your app.

There are many variations of authentication workflows, but some examples can produce a better experience for your users and, in turn, can lead to more usage of your app. For example, if your app requires the user to log in just so that you can see data about who is using your app, consider using user tokens instead of a login requirement.

Where appropriate and relevant, we recommend you use the following list as an order of preference. The higher on this list your app falls, the better the user experience, which in turn translates to more users of your app.

  1. All functions are available to the user. No authentication.
  2. All functions are available to the user, regardless of whether the user authenticates.
  3. Some functions of the app are available to the user, but they can still complete a basic workflow. The user must log in to use the other functions.
  4. Some functions of the app are available to the user to test the app, but they cannot complete a workflow. The user must log in to complete the workflow.
  5. No functions of the app are available to the user unless they authenticate.

An app can quickly and easily show its usefulness to a user by being promoted within the Apps Marketplace, such as inclusion in the "Featured apps" section.

However, an app is not eligible to be "Featured" unless a user can test functionality before manual authentication occurs in the workflow. This means that only apps that have no authentication or those that include a timed or per-use trial can be featured apps.

  • Where possible, make the app usable and useful before the user has to authenticate. Give them a chance to benefit from the app as quickly and as seamlessly as possible.
  • Authentication flows must occur in the authentication pop-up window, not within the app's iframe — that is, sign-up and login forms should only appear in the pop-up window.
  • Start an authentication flow by calling the requestAuthentication method. This will display a screen with a Connect button. Do not show redundant authentication screens before this screen or attempt to bypass the standard authentication flow.
  • Prevent users from arriving at dead-ends or becoming stuck in endless loops.
  • Support non-desktop devices, such as mobile phones and tablets.
  • Do not auto-subscribe users to marketing content — all marketing material must be opt-in.
  • If the same user installs the same app under different teams, require them to authenticate separately for each team — do not automatically authenticate the user.
  • When a user disconnects (uninstalls) the app, delete the connection between the app and the third-party platform. If the user reconnects the app, they should be required to re-authenticate.
  • For the pop-up page, use the title HTML element to set a meaningful title on the authentication's pop-up window.
  • Provide clear and actionable error messages.
  • Ensure that the redirect URL appears familiar and friendly — that is, not like a phishing threat.
  • Provide options for both signing up for and logging in to the platform.

There can be many scenarios to consider when building an authentication flow. You are free to make your own written content to communicate authentication flows. Alternatively, to speed up your development, we've provided some suggested written content that you can use.

ScenarioSuggested written content
Password is incorrectForgot password?
No email foundWe couldn’t find that account. Try a different email or sign up.
One or all of the credentials are invalidWe couldn’t find that account. Try logging in a different way or sign up.
User needs to reset passwordFor your security, we’ve emailed your a link to reset your password.
Too many failed login attemptsToo many attempts. Please try again in X minute(s).
Password reset link expired or used alreadyLooks like you need a new password reset link.
User already has an accountLooks like you have an account already! Log in.
Not all form fields completeNot quite done yet...
Incomplete fieldsYou missed this one
Passwords don’t matchThose passwords don’t match
Invalid password– doesn’t meet criteriaUse 8 or more characters with a mix of letters, numbers, and symbols.