Skip navigation
Skip to main content
Canva Developers logo
Design guidelines
Design guidelines

Authentication

Guidelines for authenticating users.

You can configure apps to remember user data, whether by using the auth.getCanvaUserToken API or connecting with a third-party platform. This functionality is typically used to make certain features and content available only to users who authenticate or to only a subset of users. This page contains some guidelines for creating a delightful authentication flow.

Authentication in your app's workflow

Canva is a visual design platform with users who want to experience an app and quickly and easily see its value.

Manual authentication (creating a log in pop-up) can be a way to place users' content behind a gate, so it could be considered helpful to implement it as part of your app's workflow. However, requiring a user to log in before they can see as much function as possible can be enough to deter them from continue using your app.

There's many variations of authentication workflows, but some examples can produce a better experience for your users and in turn can lead to more usage of your app. For example, if your app requires the user to log in just so that you can see data about who is using your app, consider using user tokens instead of a log in requirement.

Authentication workflows

Where appropriate and relevant, we recommend you use the following list as an order of preference. The higher on this list your app falls translates to a better user experience, which in turn translates to more users of your app.

  1. All functions are available to the user. No authentication.
  2. All functions are available to the user, regardless if the user authenticates.
  3. Some functions of the app are available to the user, but they can still complete a basic workflow. The user must log in to use the other functions.
  4. Some functions of the app are available to the user to test the app, but they cannot complete a workflow. The user must log in to complete the workflow.
  5. No functions of the app are available to the user unless they authenticate.

Authentication and the Apps Marketplace

An app can quickly and easily show its usefulness to a user by being promoted within the Apps Marketplace, such as inclusion in the "Featured apps" section.

However, an app is not eligible to be "Featured" unless a user can test functionality before manual authentication occurs in the workflow. This means that only apps that have no authentication or those that include a timed or per-use trial can be featured apps.

General guidelines

Authentication flow guidelines

  • Where possible, make the app usable and useful before the user has to authenticate. Give them a chance to benefit from the app as quickly and as seamlessly as possible.
  • Authentication flows must occur in the authentication pop-up window, not within the app's iframe — that is, sign up and login forms should only appear in the pop-up window.
  • Start an authentication flow by calling the requestAuthentication method. This will display a screen with a Connect button. Do not show redundant authentication screens before this screen or attempt to bypass the standard authentication flow.
  • Prevent users from arriving at dead-ends or becoming stuck in endless loops.
  • Support non-desktop devices, such as mobile phones and tablets.
  • Do not auto-subscribe users to marketing content — all marketing material must be opt-in.
  • If the same user installs the same app under different teams, require them to authenticate separately for each team — do not automatically authenticate the user.
  • When a user disconnects (uninstalls) the app, delete the connection between the app and the third-party platform. If the user reconnects the app, they should be required to re-authenticate.

Pop-up guidelines

  • For the pop-up page, use the title HTML element to set a meaningful title on the authentication's pop-up window.
  • Provide clear and actionable error messages.
  • Ensure that the redirect URL appears familiar and friendly — that is, not like a phishing threat.
  • Provide options for both signing up for and logging in to the platform.

Suggested copy for authentication flows

There can be many scenarios to consider when building an authentication flow. You are free to make your own copy to communicate authentication flows. Alternatively, to speed up your development, we've provided some suggested copy that you can use

ScenarioSuggested copy
Password is incorrectForgot password?
No email foundWe couldn’t find that account. Try a different email or sign up.
One or all of the credentials are invalidWe couldn’t find that account. Try logging in a different way or sign up.
User needs to reset passwordFor your security, we’ve emailed your a link to reset your password.
Too many failed login attemptsToo many attempts. Please try again in X minute(s).
Password reset link expired or used alreadyLooks like you need a new password reset link.
User already has an accountLooks like you have an account already! Log in.
Not all form fields completeNot quite done yet...
Incomplete fieldsYou missed this one
Passwords don’t matchThose passwords don’t match
Invalid password– doesn’t meet criteriaUse 8 or more characters with a mix of letters, numbers, and symbols.