Signature verification is a security mechanism that verifies the authenticity of HTTP requests. Once setup, it guarantees that all requests received by an app:
- Originate from Canva
- Haven't been tampered with
This protects your app and our users from a variety of attacks.
How signature verification works
When Canva sends an HTTP request to an app, it calculates a request signature.
A request signature is a unique token that's calculated with two ingredients:
- The app's Client secret, a sensitive value that's only known to Canva and the app.
- The details of the request, such as the timestamp, body, and path of a
The signature is sent with the request, either via the headers or a query parameter.
When an app receives a request, it uses the same ingredients to calculate a signature of its own and checks if that signature is included in the request. If it is, the app can assume the request is authentic, as third parties are incapable of calculating a valid signature. Otherwise, the request is not authentic and the app can reject it.
The only way a third-party can forge a request is if they have access to the app's Client secret. If this happens, the Client secret can be regenerated via the Developer Portal.
When is signature verification required?
You can disable signature verification if all of the following conditions are met:
- Your app doesn't use the Authentication capability.
- Your app doesn't store user data in any capacity.
- Your app only sends requests to publicly documented APIs.
Otherwise, signature verification is a strict requirement and it's not possible to submit an app for review until it passes a signature verification test.
Signature verification is not enforced while developing an app, so it's fine to develop an app's features first and think about signature verification when the app is ready to be distributed.
How Canva confirms that requests are verified
If signature verification is enabled, Canva requires an app to pass a signature verification test before the app can be submitted for review. This test sends a mix of valid and invalid requests to the app's endpoints.
The test passes if the valid requests are accepted and the invalid requests are rejected.
To learn more, see Signature verification test.