Get the public keys for webhooks

API reference for the keys method.

The Keys API (connect/keys) is a security measure you can use to verify the authenticity of webhooks you receive from Canva Connect. The Keys API returns a JSON Web Key (JWK), which you can use to decrypt the webhook signature and verify it came from Canva and not a potentially malicious actor. This helps to protect your systems from Replay attacks.

The keys returned by the Keys API can rotate. We recommend you cache the keys you receive from this API where possible, and only access this API when you receive a webhook signed with an unrecognized key. This allows you to verify webhooks quicker than accessing this API every time you receive a webhook.

HTTP method and URL path

GET https://api.canva.com/rest/v1/connect/keys

Authentication

This endpoint is public and doesn't require authentication.

Example request

Examples for using the /v1/connect/keys endpoint:

curl --request GET 'https://api.canva.com/rest/v1/connect/keys'

import java.io.IOException;
import java.net.URI;
import java.net.http.*;

public class ApiExample {
    public static void main(String[] args) throws IOException, InterruptedException {
        HttpRequest request = HttpRequest.newBuilder()
            .uri(URI.create("https://api.canva.com/rest/v1/connect/keys"))
            .method("GET", HttpRequest.BodyPublishers.noBody())
            .build();

        HttpResponse<String> response = HttpClient.newHttpClient().send(
            request,
            HttpResponse.BodyHandlers.ofString()
        );
        System.out.println(response.body());
    }
}

java

Success response

If successful, the endpoint returns a 200 response with a JSON body with the following parameters:

#keysEdDsaJwk[]

A Json Web Key Set (JWKS) with public keys used for signing webhooks. You can use this JWKS to verify that a webhook was sent from Canva.

Properties of keys

#kidstring

The kid (key ID) is a unique identifier for a public key. When the keys used to sign webhooks are rotated, you can use this ID to select the correct key within a JWK Set during the key rollover. The kid value is case-sensitive.

#ktystring

The kty (key type) identifies the cryptographic algorithm family used with the key, such as "RSA" or "EC". Only Octet Key Pairs (OKPs) are supported. The kty value is case-sensitive. For more information on the kty property and OKPs, see RFC-8037 — "kty" (Key Type) Parameter.

#crvstring

The crv (curve) property identifies the curve used for elliptical curve encryptions. Only "Ed25519" is supported. For more information on the crv property, see RFC-8037 — Key Type "OKP".

#xstring

The x property is the public key of an elliptical curve encryption. The key is Base64urlUInt-encoded. For more information on the x property, see RFC-8037 — "x" (X Coordinate) Parameter.

Example response

{
  "keys": [
    {
      "kid": "a418dc7d-ecc5-5c4b-85ce-e1104a8addbe",
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "aIQtqd0nDfB-ug0DrzZbwTum-1ITdXvKxGFak_1VB2j"
    },
    {
      "kid": "c8de5bec1-1b88-4ddaae04acc-ce415-5d7",
      "kty": "OKP",
      "crv": "Ed25519",
      "x": "m2d1FT-gfBXxIzKwdQVTra0D-aBq_ubZ1jI0GuvkDtn"
    }
  ]
}

json