Canvas Developer Guide

Getting Started
Using Canvas
Canvas SDK
Referencing the Canvas SDK
Authentication
Signed Request Authentication
OAuth 2.0 Authorization
SAML Single Sign-On for Canvas Apps
Getting Context in Your Canvas App
Cross-Domain XHR
Alternatives to Cookies for User Tracking
Resizing a Canvas App
Implementing Canvas App Events
Using Streaming API in a Canvas App
Debugging in a Canvas App
Using the <select> Tag in a Canvas App
Canvas Apps and Visualforce Pages
Lightning Component Code Examples
Canvas Apps in a Page Layout or a Mobile Card
Canvas Apps in the Publisher
Canvas Apps in the Chatter Feed
Canvas in the Salesforce Mobile App
Customizing Your App Lifecycle
Reference
PDF

Newer Version Available

This content describes an older version of this product. View Latest

Authentication

When you create a Canvas app, you can use the signed request authentication method or the OAuth 2.0 authentication method.

If your Canvas app URL contains a URL fragment identifier (#), then the hash mark (#) and all characters that follow are stripped from the URL during the authentication flow. To prevent unexpected behavior, avoid using hash marks (#) in a Canvas app URL.

Important

  • Signed request—The default method of authentication for Canvas apps. The signed request containing the consumer key, access token, and other contextual information is provided to the Canvas app in one of these ways.
    • The administrator allows access to the Canvas app for the user.
    • The user approves the Canvas app in the OAuth flow.
  • OAuth 2.0—Canvas apps can use the OAuth 2.0 protocol to authorize and acquire access tokens. For more information about OAuth and the Lightning Platform, see Authorize Apps with OAuth.