Introspect an access token

Introspect a token to see its validity and properties.

Introspect an access token to see whether it is valid and active. You can also verify some token properties, such as its claims, scopes, and validity times.

Requests to this endpoint require authentication with your client ID and client secret, using one of the following methods:

  • Basic access authentication (Recommended): For basic access authentication, the {credentials} string must be a Base64 encoded value of {client id}:{client secret}.
  • Body parameters: Provide your integration's credentials using the client_id and client_secret body parameters.

This endpoint can't be called from a user's web-browser client because it uses client authentication with client secrets. Requests must come from your integration's backend, otherwise they'll be blocked by Canva's Cross-Origin Resource Sharing (CORS) policy.

POST https://api.canva.com/rest/v1/oauth/introspect

This endpoint uses HTTP basic access authentication and requires no scopes.

#Authorizationstring
Optional

Provides credentials to authenticate the request, in the form of basic access authentication.

For example: Authorization: Basic {credentials}

#Content-Typestring
Required

Indicates the media type of the information sent in the request. This must be set to application/x-www-form-urlencoded.

For example: Content-Type: application/x-www-form-urlencoded

#tokenstring
Required

The token to introspect.

#client_idstring
Optional

Your integration's unique ID, for authenticating the request.

#client_secretstring
Optional

Your integration's client secret, for authenticating the request. Begins with cnvca.

Examples for using the /v1/oauth/introspect endpoint:

curl --request POST 'https://api.canva.com/rest/v1/oauth/introspect' \
--header 'Authorization: Basic {credentials}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=JagALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo'
sh

If successful, the endpoint returns a 200 response with a JSON body with the following parameters:

#activeboolean

Whether the access token is active.

If true, the access token is valid and active. If false, the access token is invalid.

#scopestring
Optional

The scopes that the token has been granted.

#clientstring
Optional

The ID of the client that requested the token.

#expinteger
Optional

The expiration time of the token, as a Unix timestamp in seconds.

#iatinteger
Optional

When the token was issued, as a Unix timestamp in seconds.

#nbfinteger
Optional

The "not before" time of the token, which specifies the time before which the access token most not be accepted, as a Unix timestamp in seconds.

#jtistring
Optional

A unique ID for the access token.

#substring
Optional

The subject of the claim. This is the ID of the Canva user that the access token acts on behalf of.

This is an obfuscated value, so a single user has a unique ID for each integration. If the same user authorizes another integration, their ID in that other integration is different.

{
"active": true,
"scope": "asset:read design:meta:read design:permission:read folder:read",
"client": "OC-FAB12-AbCdEf",
"exp": 1712216144,
"iat": 1712201744,
"nbf": 1712201744,
"jti": "AbC1d-efgHIJKLMN2oPqrS",
"sub": "oBCdEF1Gh2i3jkLmno-pq"
}
json