Canva SCIM API

Overview Authentication Users, Groups, and Teams

SCIM User API reference

Create a user Get a user List users Update all information for a user Update individual attributes for a user Delete a user

SCIM Group API reference

Create a group Get a group List groups Update all information for a group Update individual attributes for a group Delete a group

Create a user with SCIM

Using information from an identity provider (IdP), create a Canva user in a Canva team.

The values for the email or userName parameters must be unique and can't already be in use.

This API is rate limited to 1 request per second.

HTTP method and URL path

POST https://www.canva.com/_scim/v2/Users

Header parameters

#Authorizationstring

Required

Provides credentials to authenticate the request, in the form of a Bearer token.

For example: Authorization: Bearer {token}

#Content-Typestring

Required

Indicates the media type of the information sent in the request. This must be set to application/scim+json.

For example: Content-Type: application/scim+json

Body parameters

#schemasstring[]

Required

The URIs of the SCIM schemas. The value for this can only be urn:ietf:params:scim:schemas:core:2.0:User.

#userNamestring

Required

A unique identifier for the user.

#emailsobject[]

Required

The email address for the user.

Properties of emails

#primaryboolean

Required

Whether the email is the primary address. Only one email address for a user can be the primary one.

#valuestring

Required

The email address.

#typestring

Required

The type of email address for the user. The Canva SCIM API only supports work as the type of the email address.

#externalIdstring

Optional

A string that is an identifier for the resource as defined by the provisioning client.

#displayNamestring

Optional

The name of the user, suitable for display to end-users.

#namename

Optional

The components of the user's name.

Properties of name

#givenNamestring

Optional

The first or 'given' name for the user.

#familyNamestring

Optional

The last or 'family' name for the user.

#localestring

Optional

The user's default location, for example en_AU.

#rolestring

Optional

The role of the user. This can be one of the following:

Member
Teacher
Staff
Admin
Template-designer
Aide
Administrator
School administrator
School
Tenant
Faculty

If an invalid value is provided, the role defaults to Member.

#activeboolean

Optional

Whether the user account is active. Setting this to false deprovisions the user in Canva.

Example request

Examples for using the /_scim/v2/Users endpoint:

curl --request POST 'https://www.canva.com/_scim/v2/Users' \
--header 'Authorization: Bearer {token}' \
--header 'Content-Type: application/scim+json' \
--data '{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "externalId": "{idp_provided_external_id}",
  "userName": "aliddell",
  "displayName": "Alice Liddell",
  "name": {
    "givenName": "Alice",
    "familyName": "Liddell"
  },
  "emails": [
    {
      "primary": true,
      "value": "[email protected]",
      "type": "work"
    }
  ],
  "locale": "en_US",
  "role": "Member"
}'

const fetch = require("node-fetch");

fetch("https://www.canva.com/_scim/v2/Users", {
  method: "POST",
  headers: {
    "Authorization": "Bearer {token}",
    "Content-Type": "application/scim+json",
  },
  body: JSON.stringify({
    "schemas": [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "externalId": "{idp_provided_external_id}",
    "userName": "aliddell",
    "displayName": "Alice Liddell",
    "name": {
      "givenName": "Alice",
      "familyName": "Liddell"
    },
    "emails": [
      {
        "primary": true,
        "value": "[email protected]",
        "type": "work"
      }
    ],
    "locale": "en_US",
    "role": "Member"
  }),
})
  .then(async (response) => {
    const data = await response.json();
    console.log(data);
  })
  .catch(err => console.error(err));

import java.io.IOException;
import java.net.URI;
import java.net.http.*;

public class ApiExample {
    public static void main(String[] args) throws IOException, InterruptedException {
        HttpRequest request = HttpRequest.newBuilder()
            .uri(URI.create("https://www.canva.com/_scim/v2/Users"))
            .header("Authorization", "Bearer {token}")
            .header("Content-Type", "application/scim+json")
            .method("POST", HttpRequest.BodyPublishers.ofString("{\"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"], \"externalId\": \"{idp_provided_external_id}\", \"userName\": \"aliddell\", \"displayName\": \"Alice Liddell\", \"name\": {\"givenName\": \"Alice\", \"familyName\": \"Liddell\"}, \"emails\": [{\"primary\": true, \"value\": \"[email protected]\", \"type\": \"work\"}], \"locale\": \"en_US\", \"role\": \"Member\"}"))
            .build();

        HttpResponse<String> response = HttpClient.newHttpClient().send(
            request,
            HttpResponse.BodyHandlers.ofString()
        );
        System.out.println(response.body());
    }
}

java

import requests

headers = {
    "Authorization": "Bearer {token}",
    "Content-Type": "application/scim+json"
}

data = {
    "schemas": [
        "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "externalId": "{idp_provided_external_id}",
    "userName": "aliddell",
    "displayName": "Alice Liddell",
    "name": {
        "givenName": "Alice",
        "familyName": "Liddell"
    },
    "emails": [
        {
            "primary": True,
            "value": "[email protected]",
            "type": "work"
        }
    ],
    "locale": "en_US",
    "role": "Member"
}

response = requests.post("https://www.canva.com/_scim/v2/Users",
    headers=headers,
    json=data
)
print(response.json())

using System.Net.Http;

var client = new HttpClient();
var request = new HttpRequestMessage
{
  Method = HttpMethod.Post,
  RequestUri = new Uri("https://www.canva.com/_scim/v2/Users"),
  Headers =
  {
    { "Authorization", "Bearer {token}" },
  },
  Content = new StringContent(
    "{\"schemas\": [\"urn:ietf:params:scim:schemas:core:2.0:User\"], \"externalId\": \"{idp_provided_external_id}\", \"userName\": \"aliddell\", \"displayName\": \"Alice Liddell\", \"name\": {\"givenName\": \"Alice\", \"familyName\": \"Liddell\"}, \"emails\": [{\"primary\": true, \"value\": \"[email protected]\", \"type\": \"work\"}], \"locale\": \"en_US\", \"role\": \"Member\"}",
    Encoding.UTF8,
    "application/scim+json"
  ),
};

using (var response = await client.SendAsync(request))
{
  response.EnsureSuccessStatusCode();
  var body = await response.Content.ReadAsStringAsync();
  Console.WriteLine(body);
};

csharp

package main

import (
	"fmt"
	"io"
	"net/http"
	"strings"
)

func main() {
	payload := strings.NewReader(`{
	  "schemas": [
	    "urn:ietf:params:scim:schemas:core:2.0:User"
	  ],
	  "externalId": "{idp_provided_external_id}",
	  "userName": "aliddell",
	  "displayName": "Alice Liddell",
	  "name": {
	    "givenName": "Alice",
	    "familyName": "Liddell"
	  },
	  "emails": [
	    {
	      "primary": true,
	      "value": "[email protected]",
	      "type": "work"
	    }
	  ],
	  "locale": "en_US",
	  "role": "Member"
	}`)

	url := "https://www.canva.com/_scim/v2/Users"
	req, _ := http.NewRequest("POST", url, payload)
	req.Header.Add("Authorization", "Bearer {token}")
	req.Header.Add("Content-Type", "application/scim+json")

	res, _ := http.DefaultClient.Do(req)
	defer res.Body.Close()
	body, _ := io.ReadAll(res.Body)
	fmt.Println(string(body))
}

$curl = curl_init();
curl_setopt_array($curl, array(
  CURLOPT_URL => "https://www.canva.com/_scim/v2/Users",
  CURLOPT_CUSTOMREQUEST => "POST",
  CURLOPT_RETURNTRANSFER => true,
  CURLOPT_HTTPHEADER => array(
    'Authorization: Bearer {token}',
    'Content-Type: application/scim+json',
  ),
  CURLOPT_POSTFIELDS => json_encode([
    "schemas" => [
      "urn:ietf:params:scim:schemas:core:2.0:User"
    ],
    "externalId" => "{idp_provided_external_id}",
    "userName" => "aliddell",
    "displayName" => "Alice Liddell",
    "name" => [
      "givenName" => "Alice",
      "familyName" => "Liddell"
    ],
    "emails" => [
      [
        "primary" => true,
        "value" => "[email protected]",
        "type" => "work"
      ]
    ],
    "locale" => "en_US",
    "role" => "Member"
  ])
));

$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);

if (empty($err)) {
  echo $response;
} else {
  echo "Error: " . $err;
}

php

require 'net/http'
require 'uri'

url = URI('https://www.canva.com/_scim/v2/Users')
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Post.new(url)
request['Authorization'] = 'Bearer {token}'
request['Content-Type'] = 'application/scim+json'
request.body = <<REQUEST_BODY
{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "externalId": "{idp_provided_external_id}",
  "userName": "aliddell",
  "displayName": "Alice Liddell",
  "name": {
    "givenName": "Alice",
    "familyName": "Liddell"
  },
  "emails": [
    {
      "primary": true,
      "value": "[email protected]",
      "type": "work"
    }
  ],
  "locale": "en_US",
  "role": "Member"
}
REQUEST_BODY

response = http.request(request)
puts response.read_body

ruby

Success response

If successful, the endpoint returns a 201 response with a JSON body with the following parameters:

#schemasstring[]

The URIs of the SCIM schemas. The value for this can only be urn:ietf:params:scim:schemas:core:2.0:User.

#idstring

The Canva-generated SCIM ID for the user.

#metaobject

Meta properties for the user.

Properties of meta

#resourceTypestring

The SCIM resource type of the object. The value for this can only be User.

#createdstring

The timestamp when the object was created.

#userNamestring

A unique identifier for the user.

#displayNamestring

The name of the user, suitable for display to end-users.

#emailsobject[]

The email address for the user.

Properties of emails

#primaryboolean

Whether the email is the primary address. Only one email address for a user can be the primary one.

#valuestring

The email address.

#typestring

The type of email address for the user. The Canva SCIM API only supports work as the type of the email address.

#activeboolean

Whether the user account is active. Setting this to false deprovisions the user in Canva.

#rolestring

The role of the user. This can be one of the following:

Member
Teacher
Staff
Admin
Template-designer
Aide
Administrator
School administrator
School
Tenant
Faculty

If an invalid value is provided, the role defaults to Member.

#externalIdstring

Optional

A string that is an identifier for the resource as defined by the provisioning client.

#namename

Optional

The components of the user's name.

Properties of name

#givenNamestring

Optional

The first or 'given' name for the user.

#familyNamestring

Optional

The last or 'family' name for the user.

#localestring

Optional

The user's default location, for example en_AU.

Example response

{
  "schemas": [
    "urn:ietf:params:scim:schemas:core:2.0:User"
  ],
  "id": "UAFdxab1abC",
  "externalId": "abcd1234",
  "meta": {
    "resourceType": "User",
    "created": "2023-09-18T06:08:35Z"
  },
  "userName": "aliddell",
  "displayName": "Alice Liddell",
  "name": {
    "givenName": "Alice",
    "familyName": "Liddell"
  },
  "emails": [
    {
      "primary": true,
      "value": "[email protected]",
      "type": "work"
    }
  ],
  "active": true,
  "locale": "en_US",
  "role": "Member"
}

json

Error responses

400 Bad request

#schemasstring[]

The value for this can only be urn:ietf:params:scim:api:messages:2.0:Error.

#detailstring

The value for this can only be No SSO configurations found, please check the settings page.

#statusstring

The HTTP status code of the error.

Example error response

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "detail": "No SSO configurations found, please check the settings page",
  "status": "400"
}

json

403 Forbidden

#schemasstring[]

The value for this can only be urn:ietf:params:scim:api:messages:2.0:Error.

#detailstring

The value for this can only be Email domain not authorized for SCIM..

#statusstring

The HTTP status code of the error.

Example error response

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "detail": "Email domain not authorized for SCIM.",
  "status": "403"
}

json

409 Conflict

#schemasstring[]

The value for this can only be urn:ietf:params:scim:api:messages:2.0:Error.

#detailstring

This can be one of the following:

userName not available
Account with email can not be updated. User needs to accept SSO linking
Account with email already exists. User must first log in with SAML to confirm account ownership
Account with email is soft deleted. The user must first log in to reactivate their account

#statusstring

The HTTP status code of the error.

Example error response

{
  "schemas": [
    "urn:ietf:params:scim:api:messages:2.0:Error"
  ],
  "detail": "userName not available",
  "status": "409"
}

json