canva-security-basics

Featured

Apply Canva Connect API security best practices for OAuth tokens and access control. Use when securing OAuth credentials, implementing least-privilege scopes, or auditing Canva integration security. Trigger with phrases like "canva security", "canva secrets", "secure canva", "canva token security", "canva OAuth security".

AI & Automation 2,266 stars 315 forks Updated today MIT

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Canva Security Basics ## Overview Security best practices for Canva Connect API OAuth 2.0 tokens, client credentials, and webhook verification. The Canva API uses OAuth with PKCE — there are no static API keys. ## Token Security ### Never Expose Client Secrets ```bash # .env (NEVER commit) CANVA_CLIENT_ID=OCAxxxxxxxxxxxxxxxx CANVA_CLIENT_SECRET=xxxxxxxxxxxxxxxx # .gitignore — mandatory entries .env .env.local .env.*.local ``` ```typescript // WRONG — client-side JavaScript can't safely hold secrets // Token exchange and refresh MUST happen server-side // "Requests that require authenticating with your client ID and // client secret can't be made from a web-browser client" — Canva docs ``` ### Token Storage ```typescript // Store tokens encrypted at rest — they grant access to user's Canva account interface SecureTokenStore { save(userId: string, tokens: { accessToken: string; // Valid ~4 hours refreshToken: string; // Single-use — always save the latest expiresAt: number; }): Promise<void>; get(userId: string): Promise<CanvaTokens | null>; delete(userId: string): Promise<void>; } // Production: use your database with encryption // Never store tokens in: localStorage, cookies without httpOnly, log files, git ``` ### Token Revocation ```typescript // Revoke tokens when user disconnects your integration async function revokeCanvaToken(token: string, clientId: string, clientSecret: string) { const basicAuth = Buffer.from(`${clientId}:${clie...

Details

Author
jeremylongshore
Repository
jeremylongshore/claude-code-plugins-plus-skills
Created
7 months ago
Last Updated
today
Language
Python
License
MIT

Integrates with

Anthropic · AI OAuth · Auth

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

canva-install-auth

Set up Canva Connect API OAuth 2.0 PKCE authentication and project scaffolding. Use when creating a new Canva integration, setting up OAuth credentials, or initializing a Canva Connect API project. Trigger with phrases like "install canva", "setup canva", "canva auth", "configure canva API", "canva OAuth".

2,266 Updated today
jeremylongshore
AI & Automation Featured

canva-data-handling

Implement Canva Connect API data handling, PII protection, and GDPR/CCPA compliance. Use when handling user design data, implementing data retention policies, or ensuring privacy compliance for Canva integrations. Trigger with phrases like "canva data", "canva PII", "canva GDPR", "canva data retention", "canva privacy", "canva CCPA".

2,266 Updated today
jeremylongshore
AI & Automation Featured

canva-sdk-patterns

Apply production-ready Canva Connect API client patterns for TypeScript and Python. Use when building a reusable API client, implementing token refresh, or establishing team coding standards for Canva integrations. Trigger with phrases like "canva client patterns", "canva best practices", "canva code patterns", "canva API wrapper", "canva TypeScript client".

2,266 Updated today
jeremylongshore
AI & Automation Featured

canva-known-pitfalls

Identify and avoid Canva Connect API anti-patterns and common integration mistakes. Use when reviewing Canva code, onboarding developers, or auditing existing Canva integrations for best practices violations. Trigger with phrases like "canva mistakes", "canva anti-patterns", "canva pitfalls", "canva what not to do", "canva code review".

2,266 Updated today
jeremylongshore
AI & Automation Featured

canva-deploy-integration

Deploy Canva Connect API integrations to Vercel, Fly.io, and Cloud Run. Use when deploying Canva-powered applications to production, configuring platform-specific secrets, or setting up deployment pipelines. Trigger with phrases like "deploy canva", "canva Vercel", "canva production deploy", "canva Cloud Run", "canva Fly.io".

2,266 Updated today
jeremylongshore