Skip navigation

Skip to main content

Authentication
Authentication

Revoke a token

Revoke a token and its lineage.

Revoke an access token or a refresh token.

If you revoke a refresh token, be aware that:

  • The refresh token's lineage is also revoked. This means that access tokens created from that refresh token are also revoked.
  • The user's consent for your integration is also revoked. This means that the user must go through the OAuth process again to use your integration.

Requests to this endpoint require authentication with your client ID and client secret, using one of the following methods:

  • Basic access authentication (Recommended): For basic access authentication(opens in a new tab or window), the {credentials} string must be a Base64 encoded value of {client id}:{client secret}.
  • Body parameters: Provide your integration's credentials using the client_id and client_secret body parameters.

This endpoint can't be called from a user's web-browser client because it uses client authentication with client secrets. Requests must come from your integration's backend, otherwise they'll be blocked by Canva's Cross-Origin Resource Sharing (CORS)(opens in a new tab or window) policy.

HTTP method and URL path

POST https://api.canva.com/rest/v1/oauth/revoke

Authentication

This endpoint uses HTTP basic access authentication and requires no scopes.

Header parameters

Authorizationstring
OPTIONAL

Provides credentials to authenticate the request, in the form of basic access authentication(opens in a new tab or window).

For example: Authorization: Basic {credentials}

We recommend that you use basic access authentication instead of specifying client_id and client_secret as body parameters.

Content-Typestring
REQUIRED

Indicates the media type of the information sent in the request. This must be set to application/x-www-form-urlencoded.

For example: Content-Type: application/x-www-form-urlencoded

Body parameters

tokenstring
REQUIRED

The token to revoke.

client_idstring
OPTIONAL

Your integration's unique ID, for authenticating the request.

We recommend that you use basic access authentication instead of specifying client_id and client_secret as body parameters.

client_secretstring
OPTIONAL

Your integration's client secret, for authenticating the request. Begins with cnvca.

We recommend that you use basic access authentication instead of specifying client_id and client_secret as body parameters.

Example request

Examples for using the /v1/oauth/revoke endpoint:

curl --request POST 'https://api.canva.com/rest/v1/oauth/revoke' \
--header 'Authorization: Basic {credentials}' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo' \
--data-urlencode 'client_id=OC-FAB12-AbCdEf' \
--data-urlencode 'client_secret=cnvcaAbcdefg12345_hijklm6789'
SH
const fetch = require("node-fetch");
const { URLSearchParams } = require("url");


fetch("https://api.canva.com/rest/v1/oauth/revoke", {
  method: "POST",
  headers: {
    "Authorization": "Basic {credentials}",
    "Content-Type": "application/x-www-form-urlencoded",
  },
  body: new URLSearchParams("token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789"),
})
  .then(async (response) => {
    const data = await response.json();
    console.log(data);
  })
  .catch(err => console.error(err));
JS
import java.io.IOException;
import java.net.URI;
import java.net.http.*;


public class ApiExample {
    public static void main(String[] args) throws IOException, InterruptedException {
        HttpRequest request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.canva.com/rest/v1/oauth/revoke"))
            .header("Authorization", "Basic {credentials}")
            .header("Content-Type", "application/x-www-form-urlencoded")
            .method("POST", HttpRequest.BodyPublishers.ofString("token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789"))
            .build();


        HttpResponse<String> response = HttpClient.newHttpClient().send(
            request,
            HttpResponse.BodyHandlers.ofString()
        );
        System.out.println(response.body());
    }
}
JAVA
import requests


headers = {
    "Authorization": "Basic {credentials}",
    "Content-Type": "application/x-www-form-urlencoded"
}


data = {
    "token": "agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo",
    "client_id": "OC-FAB12-AbCdEf"
    "client_secret": "cnvcaAbcdefg12345_hijklm6789",
}


response = requests.post("https://api.canva.com/rest/v1/oauth/revoke",
    headers=headers,
    data=data
)
print(response.json())
PY
using System.Net.Http;


var client = new HttpClient();
var request = new HttpRequestMessage
{
  Method = HttpMethod.Post,
  RequestUri = new Uri("https://api.canva.com/rest/v1/oauth/revoke"),
  Headers =
  {
    { "Authorization", "Basic {credentials}" },
  },
  Content = new StringContent(
    "token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789",
    Encoding.UTF8,
    "application/x-www-form-urlencoded"
  ),
};


using (var response = await client.SendAsync(request))
{
  response.EnsureSuccessStatusCode();
  var body = await response.Content.ReadAsStringAsync();
  Console.WriteLine(body);
};
CSHARP
package main


import (
	"fmt"
	"io"
	"net/http"
	"strings"
)


func main() {
	payload := strings.NewReader("token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789")


	url := "https://api.canva.com/rest/v1/oauth/revoke"
	req, _ := http.NewRequest("POST", url, payload)
	req.Header.Add("Authorization", "Basic {credentials}")
	req.Header.Add("Content-Type", "application/x-www-form-urlencoded")


	res, _ := http.DefaultClient.Do(req)
	defer res.Body.Close()
	body, _ := io.ReadAll(res.Body)
	fmt.Println(string(body))
}
GO
$curl = curl_init();
curl_setopt_array($curl, array(
  CURLOPT_URL => "https://api.canva.com/rest/v1/oauth/revoke",
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_HTTPHEADER => array(
    'Authorization: Basic {credentials}',
    'Content-Type: application/x-www-form-urlencoded',
  ),
  CURLOPT_POSTFIELDS => "token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789"
));


$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);


if (empty($err)) {
  echo $response;
} else {
  echo "Error: " . $err;
}
PHP
require 'net/http'
require 'uri'


url = URI('https://api.canva.com/rest/v1/oauth/revoke')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true


request = Net::HTTP::Post.new(url)
request['Authorization'] = 'Basic {credentials}'
request['Content-Type'] = 'application/x-www-form-urlencoded'
request.body = "token=agALLazU0i2ld9WW4zTO4kaG0lkvP8Y5sSO206ZwxNF4E1y3xKJKF7TzN17BXTfaNOeY0P88AeRCE6cRF7SJzvf3Sx97rA80sGHtFplFo&client_id=OC-FAB12-AbCdEf&client_secret=cnvcaAbcdefg12345_hijklm6789"


response = http.request(request)
puts response.read_body
RUBY

Success response

If successful, the endpoint returns a 200 response with an empty JSON body.

Example response

{}
JSON