The Extensions documentation is no longer updated. Read the new Canva API docs here.

Regenerate a client secret

What to do when a client secret is leaked.

If your app's client secret is leaked or committed to source control, the secret is no longer secure and you need to regenerate it. But this poses a problem: disabling the current secret will cause verified requests to fail until the app starts using the new secret.

To avoid this problem, Canva supports key rotation. This means you can generate a new secret without immediately disabling the existing secret.

When more than one client secret is active at a time, Canva sends multiple request signatures with every request. Each signature is calculated using one of the active client secrets. The app only needs to verify one of these signatures to confirm the authenticity of the request. This allows you to regenerate client secrets without causing downtime.

To regenerate your app's client secret:

  1. Navigate to an app via the Developer Portal.
  2. Open the Verification page.
  3. Click Regenerate.
  4. In the Expiry time field, enter the number of hours the existing client secret should remain active for. The maximum value is 168 hours (7 days).
  5. Click Regenerate client secret.

The new client secret appears in the Client secret field.