Get the public keys for webhooks
The Keys API (connect/keys
) is a security measure you can use to verify the authenticity
of webhooks you receive from Canva Connect. The Keys API returns a
JSON Web Key (JWK), which you can use to
decrypt the webhook signature and verify it came from Canva and not a potentially malicious
actor. This helps to protect your systems from
Replay attacks.
The keys returned by the Keys API can rotate. We recommend you cache the keys you receive from this API where possible, and only access this API when you receive a webhook signed with an unrecognized key. This allows you to verify webhooks quicker than accessing this API every time you receive a webhook.
HTTP method and URL path
https://api.canva.com /rest /v1 /connect /keys
Authentication
This endpoint is public and doesn't require authentication.
Example request
Examples for using the /v1/connect/keys
endpoint:
curl --request GET 'https://api.canva.com/rest/v1/connect/keys'
Success response
If successful, the endpoint returns a 200 response with a JSON body with the following parameters:
A Json Web Key Set (JWKS) with public keys used for signing webhooks. You can use this JWKS to verify that a webhook was sent from Canva.
Properties of keys
The kid
(key ID) is a unique identifier for a public key. When the keys used
to sign webhooks are rotated, you can use this ID to select the correct key
within a JWK Set during the key rollover. The kid
value is case-sensitive.
The kty
(key type) identifies the cryptographic algorithm family used with
the key, such as "RSA" or "EC". Only Octet Key Pairs
(OKPs
) are supported.
The kty
value is case-sensitive. For more information on the kty
property
and OKPs, see RFC-8037 — "kty" (Key Type)
Parameter.
The crv
(curve) property identifies the curve used for elliptical curve
encryptions. Only "Ed25519" is supported. For more information on the crv
property, see RFC-8037 — Key Type
"OKP".
The x
property is the public key of an elliptical curve encryption. The key
is Base64urlUInt-encoded. For more information on the x
property, see
RFC-8037 — "x" (X Coordinate)
Parameter.
Example response
{"keys": [{"kid": "a418dc7d-ecc5-5c4b-85ce-e1104a8addbe","kty": "OKP","crv": "Ed25519","x": "aIQtqd0nDfB-ug0DrzZbwTum-1ITdXvKxGFak_1VB2j"},{"kid": "c8de5bec1-1b88-4ddaae04acc-ce415-5d7","kty": "OKP","crv": "Ed25519","x": "m2d1FT-gfBXxIzKwdQVTra0D-aBq_ubZ1jI0GuvkDtn"}]}