Domain restrictions

By default, Canva Button API keys are locked to the following domains:

  • localhost

If you try to use your API keys from other domains, Canva blocks the request and responds with a Forbidden (403) error.

To add a domain to Canva's allowlist:

  1. Log in to the Developer Portal.
  2. Under the Your Canva Button integrations heading, find the relevant integration and select View.
  3. Select Add a referrer domain.
  4. Enter a domain in the text field, such as

Changes to the form save automatically.

You can use the wildcard symbol (an asterisk) when adding domains in the allowlist. This makes it possible for Canva to accept requests from variations of a domain name.

The following table demonstrates some ways to use the wildcard symbol:

example.comThe exact domain name.
*.example.comThe domain name and subdomains.
**The domain name, subdomains, and subdirectories.