Platform concepts

Domain restrictions HTML API vs. JavaScript API Local development

Domain restrictions

By default, Canva Button API keys are locked to the following domains:

canva.com
localhost

If you try to use your API keys from other domains, Canva blocks the request and responds with a Forbidden (403) error.

Adding domains to the allowlist

To add a domain to Canva's allowlist:

Log in to the Developer Portal.
Under the Your Canva Button integrations heading, find the relevant integration and select View.
Select Add a referrer domain.
Enter a domain in the text field, such as example.com.

Changes to the form save automatically.

Using wildcard symbols

You can use the wildcard symbol (an asterisk) when adding domains in the allowlist. This makes it possible for Canva to accept requests from variations of a domain name.

The following table demonstrates some ways to use the wildcard symbol:

Domain	Matches
`example.com`	The exact domain name.
`*.example.com`	The domain name and subdomains.
`.example.com`	The domain name, subdomains, and subdirectories.