Forbidden (403)

While creating an integration, you may encounter the following Forbidden (403) error:

This error can occur for a few different reasons.

A user can only edit a design that they created. If you call the editDesign method and pass through a designId of a design not created by the current user, Canva responds with a 403 error.

By default, an integration's API keys are locked to the following domains:

  • localhost

If requests don't originate from these domains, Canva responds to the requests with a 403 error.

To use the API keys from other domains, you need to request Canva to add the domains to the allowlist.

To raise a request:

  1. Navigate to the Canva Helpdesk.
  2. Select Integration support.
  3. In the Domains field, list the other domains.

When an integration loads the product catalog, the request that's sent to Canva must include the Referer HTTP header. Canva uses the Referer header to identify if the integration's domain is on the allowlist.

Sometimes though, the Referrer-Policy header is set to a value that prevents Canva from receiving the Referer header:

Referrer-Policy: no-referrer
Referrer-Policy: no-referrer-when-downgrade

As a result, Canva can't confirm if the origin domain is on the allowlist and blocks the request, causing the 403 error.

To fix this problem, we generally recommend setting the Referrer-Policy header to the strict-origin-when-cross-origin header. This ensures that the origin is sent with cross-origin requests, which allows Canva to verify if the origin domain is on the allowlist.

For more information, refer to Referrer-Policy.

When initializing the Partnership SDK, an integration needs to provide an autoAuthToken:

(async () => {
const api = await Canva.Partnership.initialize({
apiKey: "<api_key>",
autoAuthToken: "<auto_auth_token>",
container: document.getElementById("container"),

If this token is invalid, Canva responds with a 403 error.

These are some reasons why an autoAuthToken might be invalid:

When calculating a token, double-check the following values

  • The integration's Partner API key.
  • The integration's Partner API secret.
  • The ID of the end user (that is, the ID of the partner's customer).
  • The "issued at" time of the token as a UNIX timestamp (in seconds).
  • The "expires at" time of the token as a UNIX timestamp (in seconds).

Are the values accurate? Are they of the correct type?

Verify that the Partner API key and Partner API secret are for the same environment. You can't, for instance, calculate a token using the "production" API key and the "test" API secret.

There is some leniency, as it's possible for server clocks to not be perfectly synchronized, but the "issued at" time should be as accurate as reasonably possible.

The Partnership SDK requires autoAuthTokens to expire in 12 hours or less.

You can't calculate more than 5 autoAuthTokens from the same IP address in under an hour. If end users are returning to an integration more than 5 times per hour, you can avoid reaching this limit by saving the autoAuthToken in a cookie or via local storage.