App Development

Overview Quick start Changelog

Platform concepts

Apps Extensions Regions Authentication Deprecation policy

Extensions

Content extensions Publish extensions

Backend development

Base URL Continuation Signature verification SDKs

Distribution

UX guidelines Submission checklist Creating the App Directory listing

Server API

Overview GET /apps/configured POST /configuration POST /configuration/delete POST /content/resources/find POST /publish/resources/find POST /publish/resources/get POST /publish/resources/upload Redirect URL

Reference

Languages

POST /configuration/delete

API reference for the "/configuration/delete" endpoint.

If an app supports authentication, Canva sends a POST request to the following endpoint when a user disconnects the app from Canva:

<authentication_base_url>/configuration/delete

bash

The purpose of this request is to de-authenticate the user, allowing them to either re-authenticate with different credentials or to simply remove the connection between Canva and the app's backend.

Request

Endpoint

POST <authentication_base_url>/configuration/delete

bash

Headers

Property	Type	Required	Description
`X-Canva-Signatures`	string	Yes	A comma-separated list of request signatures. The name of this header is sometimes lowercase (e.g. `x-canva-signatures`).
`X-Canva-Timestamp`	string	Yes	The UNIX timestamp (in seconds) of when Canva sent the request. The name of this header is sometimes lowercase (e.g. `x-canva-timestamp`).

Body

Properties

Property	Type	Required	Description
`user`	string	Yes	The ID of the user.
`brand`	string	Yes	The ID of the user's team.

Example

{
  "user": "<user>",
  "brand": "<brand>"
}

json

Responses

200 - Success

Properties

Property	Type	Required	Description
`type`	`"SUCCESS"`	Yes	The type of response.

Example

{
  "type": "SUCCESS"
}

json

200 - Error

Properties

Property	Type	Required	Description
`type`	`"ERROR"`	Yes	The type of response.
`errorCode`	string	Yes	An error code that describes what went wrong. Enum: `"CONFIGURATION_REQUIRED"`, `"FORBIDDEN"`, `"INTERNAL_ERROR"`, `"INVALID_REQUEST"`, `"NOT_FOUND"`, `"TIMEOUT"`

Example

{
  "type": "ERROR",
  "errorCode": "<error_code>"
}

json

401 - Invalid request signature or timestamp

An extension must verify the request signature and timestamp of all incoming requests. When an extension can't verify either of these values, it must reject the request with a 401 status code.