Introspect an access token
Introspect an access token to see whether it is valid and active. You can also verify some token properties, such as its claims, scopes, and validity times.
Requests to this endpoint require authentication with your client ID and client secret, using one of the following methods:
- Basic access authentication (Recommended): For basic access authentication(opens in a new tab or window), the
{credentials}string must be a Base64 encoded value of{client id}:{client secret}. - Body parameters: Provide your integration's credentials using the
client_idandclient_secretbody parameters.
This endpoint can't be called from a user's web-browser client because it uses client authentication with client secrets. Requests must come from your integration's backend, otherwise they'll be blocked by Canva's Cross-Origin Resource Sharing (CORS)(opens in a new tab or window) policy.
HTTP method and URL path
Authentication
This endpoint uses HTTP basic access authentication and requires no scopes.
Header parameters
Content-TypestringRequiredIndicates the media type of the information sent in the request. This must be set to application/x-www-form-urlencoded.
For example: Content-Type: application/x-www-form-urlencoded
Body parameters
tokenstringRequiredThe token to introspect.
client_idstringOptionalYour integration's unique ID, for authenticating the request.
We recommend that you use basic access authentication instead of specifying client_id and client_secret as body parameters.
client_secretstringOptionalYour integration's client secret, for authenticating the request. Begins with cnvca.
We recommend that you use basic access authentication instead of specifying client_id and client_secret as body parameters.
Example request
Examples for using the /v1/oauth/introspect endpoint:
curl --request POST 'https://api.canva.com/rest/v1/oauth/introspect' \--header 'Authorization: Basic {credentials}' \--header 'Content-Type: application/x-www-form-urlencoded' \--data-urlencode 'token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo'
const fetch = require("node-fetch");const { URLSearchParams } = require("url");fetch("https://api.canva.com/rest/v1/oauth/introspect", {method: "POST",headers: {"Authorization": "Basic {credentials}","Content-Type": "application/x-www-form-urlencoded",},body: new URLSearchParams("token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo"),}).then(async (response) => {const data = await response.json();console.log(data);}).catch(err => console.error(err));
import java.io.IOException;import java.net.URI;import java.net.http.*;public class ApiExample {public static void main(String[] args) throws IOException, InterruptedException {HttpRequest request = HttpRequest.newBuilder().uri(URI.create("https://api.canva.com/rest/v1/oauth/introspect")).header("Authorization", "Basic {credentials}").header("Content-Type", "application/x-www-form-urlencoded").method("POST", HttpRequest.BodyPublishers.ofString("token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo")).build();HttpResponse<String> response = HttpClient.newHttpClient().send(request,HttpResponse.BodyHandlers.ofString());System.out.println(response.body());}}
import requestsheaders = {"Authorization": "Basic {credentials}","Content-Type": "application/x-www-form-urlencoded"}data = {"token": "JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo",}response = requests.post("https://api.canva.com/rest/v1/oauth/introspect",headers=headers,data=data)print(response.json())
using System.Net.Http;var client = new HttpClient();var request = new HttpRequestMessage{Method = HttpMethod.Post,RequestUri = new Uri("https://api.canva.com/rest/v1/oauth/introspect"),Headers ={{ "Authorization", "Basic {credentials}" },},Content = new StringContent("token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo",Encoding.UTF8,"application/x-www-form-urlencoded"),};using (var response = await client.SendAsync(request)){response.EnsureSuccessStatusCode();var body = await response.Content.ReadAsStringAsync();Console.WriteLine(body);};
package mainimport ("fmt""io""net/http""strings")func main() {payload := strings.NewReader("token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo")url := "https://api.canva.com/rest/v1/oauth/introspect"req, _ := http.NewRequest("POST", url, payload)req.Header.Add("Authorization", "Basic {credentials}")req.Header.Add("Content-Type", "application/x-www-form-urlencoded")res, _ := http.DefaultClient.Do(req)defer res.Body.Close()body, _ := io.ReadAll(res.Body)fmt.Println(string(body))}
$curl = curl_init();curl_setopt_array($curl, array(CURLOPT_URL => "https://api.canva.com/rest/v1/oauth/introspect",CURLOPT_CUSTOMREQUEST => "POST",CURLOPT_RETURNTRANSFER => true,CURLOPT_HTTPHEADER => array('Authorization: Basic {credentials}','Content-Type: application/x-www-form-urlencoded',),CURLOPT_POSTFIELDS => "token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo"));$response = curl_exec($curl);$err = curl_error($curl);curl_close($curl);if (empty($err)) {echo $response;} else {echo "Error: " . $err;}
require 'net/http'require 'uri'url = URI('https://api.canva.com/rest/v1/oauth/introspect')http = Net::HTTP.new(url.host, url.port)http.use_ssl = truerequest = Net::HTTP::Post.new(url)request['Authorization'] = 'Basic {credentials}'request['Content-Type'] = 'application/x-www-form-urlencoded'request.body = "token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo"response = http.request(request)puts response.read_body
Success response
If successful, the endpoint returns a 200 response with a JSON body with the following parameters:
activebooleanWhether the access token is active.
If true, the access token is valid and active. If false, the access token is invalid.
scopestringOptionalThe scopes that the token has been granted.
clientstringOptionalThe ID of the client that requested the token.
expintegerOptionalThe expiration time of the token, as a Unix timestamp(opens in a new tab or window) in seconds.
iatintegerOptionalWhen the token was issued, as a Unix timestamp(opens in a new tab or window) in seconds.
nbfintegerOptionalThe "not before" time of the token, which specifies the time before which the access token most not be accepted, as a Unix timestamp(opens in a new tab or window) in seconds.
jtistringOptionalA unique ID for the access token.
substringOptionalThe subject of the claim. This is the ID of the Canva user that the access token acts on behalf of.
This is an obfuscated value, so a single user has a unique ID for each integration. If the same user authorizes another integration, their ID in that other integration is different.
Example response
{"active": true,"scope": "asset:read design:meta:read design:permission:read folder:read","client": "OC-FAB12-AbCdEf","exp": 1712216144,"iat": 1712201744,"nbf": 1712201744,"jti": "AbC1d-efgHIJKLMN2oPqrS","sub": "oBCdEF1Gh2i3jkLmno-pq"}