Canva Security Basics Overview Security best practices for Canva Connect API OAuth 2.0 tokens, client credentials, and webhook verification. The Canva API uses OAuth with PKCE — there are no static API keys. Token Security Never Expose Client Secrets Token Storage Token Revocation Least-Privilege Scopes Webhook Signature Verification Canva signs webhook payloads with JWK. Verify before processing. Security Checklist - [ ] Client secret stored in environment variables / secret manager - [ ] files in - [ ] Token exchange and refresh happen server-side only - [ ] Access tokens encrypted at rest…