canva-prod-checklist
Execute Canva Connect API production deployment checklist and go-live procedures. Use when deploying Canva integrations to production, preparing for launch, or validating production readiness. Trigger with phrases like "canva production", "deploy canva", "canva go-live", "canva launch checklist".
Best use case
canva-prod-checklist is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Execute Canva Connect API production deployment checklist and go-live procedures. Use when deploying Canva integrations to production, preparing for launch, or validating production readiness. Trigger with phrases like "canva production", "deploy canva", "canva go-live", "canva launch checklist".
Teams using canva-prod-checklist should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/canva-prod-checklist/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How canva-prod-checklist Compares
| Feature / Agent | canva-prod-checklist | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Execute Canva Connect API production deployment checklist and go-live procedures. Use when deploying Canva integrations to production, preparing for launch, or validating production readiness. Trigger with phrases like "canva production", "deploy canva", "canva go-live", "canva launch checklist".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
AI Agents for Startups
Explore AI agent skills for startup validation, product research, growth experiments, documentation, and fast execution with small teams.
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Canva Production Checklist
## Overview
Complete checklist for deploying Canva Connect API integrations to production, covering OAuth configuration, security, error handling, monitoring, and Canva's integration review process.
## Pre-Deployment
### OAuth & Security
- [ ] Client ID and secret stored in secret manager (not env files)
- [ ] Redirect URIs use HTTPS and match production domains
- [ ] Only required OAuth scopes requested (least privilege)
- [ ] Access tokens stored encrypted at rest
- [ ] Refresh token rotation handled (single-use tokens)
- [ ] Token revocation implemented for user disconnect
- [ ] No client secrets in frontend code
### API Integration
- [ ] All API calls use `api.canva.com/rest/v1/*` endpoints
- [ ] Rate limits respected with exponential backoff (see `canva-rate-limits`)
- [ ] Export polling implemented with timeout (don't poll forever)
- [ ] 429 responses handled with `Retry-After` header
- [ ] 401 responses trigger automatic token refresh
- [ ] Error responses parsed and logged (without tokens)
- [ ] Blank designs auto-delete warning handled (7-day window)
- [ ] Export download URLs consumed within 24-hour window
### Webhook Security
- [ ] Webhook endpoint uses HTTPS
- [ ] JWK signature verification implemented (see `canva-webhooks-events`)
- [ ] Webhook handler returns 200 immediately
- [ ] Heavy processing done asynchronously
- [ ] Idempotency keys prevent duplicate processing
### Data Handling
- [ ] No access tokens in log output
- [ ] User design metadata treated as sensitive
- [ ] Temporary URLs (thumbnails, exports) not cached beyond expiry
- [ ] Thumbnail URLs expire in 15 minutes — refresh as needed
- [ ] Edit/view URLs expire in 30 days — regenerate via API
## Production Readiness Verification
```bash
#!/bin/bash
# canva-prod-verify.sh
echo "=== Canva Production Readiness ==="
# 1. Verify API connectivity from production
HTTP_CODE=$(curl -s -o /dev/null -w "%{http_code}" \
-H "Authorization: Bearer $CANVA_ACCESS_TOKEN" \
"https://api.canva.com/rest/v1/users/me")
echo "[$([ $HTTP_CODE = 200 ] && echo 'PASS' || echo 'FAIL')] API connectivity: HTTP $HTTP_CODE"
# 2. Test design creation
DESIGN=$(curl -s -X POST "https://api.canva.com/rest/v1/designs" \
-H "Authorization: Bearer $CANVA_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d '{"design_type":{"type":"custom","width":100,"height":100},"title":"Prod Test"}')
DESIGN_ID=$(echo "$DESIGN" | python3 -c "import sys,json; print(json.load(sys.stdin)['design']['id'])" 2>/dev/null)
echo "[$([ -n "$DESIGN_ID" ] && echo 'PASS' || echo 'FAIL')] Design creation: $DESIGN_ID"
# 3. Test export
if [ -n "$DESIGN_ID" ]; then
EXPORT=$(curl -s -X POST "https://api.canva.com/rest/v1/exports" \
-H "Authorization: Bearer $CANVA_ACCESS_TOKEN" \
-H "Content-Type: application/json" \
-d "{\"design_id\":\"$DESIGN_ID\",\"format\":{\"type\":\"png\"}}")
EXPORT_ID=$(echo "$EXPORT" | python3 -c "import sys,json; print(json.load(sys.stdin)['job']['id'])" 2>/dev/null)
echo "[$([ -n "$EXPORT_ID" ] && echo 'PASS' || echo 'FAIL')] Export job: $EXPORT_ID"
fi
echo ""
echo "=== Done ==="
```
## Canva Integration Review
For **public integrations** (available to all Canva users), you must pass Canva's review:
1. Submit your integration for review in the Canva developer portal
2. Canva reviews security, OAuth implementation, and UX
3. Preview features (e.g., webhooks) are **not allowed** in public integrations
4. Fix any issues and resubmit
**Private integrations** (your organization only) do not require review.
## Health Check Endpoint
```typescript
app.get('/health', async (req, res) => {
const start = Date.now();
let canvaStatus = 'unknown';
try {
const me = await fetch('https://api.canva.com/rest/v1/users/me', {
headers: { 'Authorization': `Bearer ${getServiceToken()}` },
signal: AbortSignal.timeout(5000),
});
canvaStatus = me.ok ? 'healthy' : `error:${me.status}`;
} catch {
canvaStatus = 'unreachable';
}
res.json({
status: canvaStatus === 'healthy' ? 'healthy' : 'degraded',
services: { canva: { status: canvaStatus, latencyMs: Date.now() - start } },
timestamp: new Date().toISOString(),
});
});
```
## Monitoring Alerts
| Alert | Condition | Severity |
|-------|-----------|----------|
| Auth failures | 401 errors > 0 | P1 |
| Rate limited | 429 errors > 5/min | P2 |
| Export failures | `license_required` or `internal_failure` | P3 |
| API unreachable | Connection timeout | P1 |
| Token refresh fails | Refresh returns error | P1 |
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| Token refresh loop | Revoked refresh token | Re-authorize user |
| Export stuck `in_progress` | Backend delay | Timeout after 120s, retry |
| Webhook URL rejected | HTTP not HTTPS | Use HTTPS endpoint |
| Review rejection | Using preview features | Remove preview-only features |
## Resources
- [Canva Connect Quickstart](https://www.canva.dev/docs/connect/quickstart/)
- [Creating Integrations](https://www.canva.dev/docs/connect/creating-integrations/)
- [Canva Changelog](https://www.canva.dev/docs/connect/changelog/)
## Next Steps
For version upgrades, see `canva-upgrade-migration`.Related Skills
workhuman-prod-checklist
Workhuman prod checklist for employee recognition and rewards API. Use when integrating Workhuman Social Recognition, or building recognition workflows with HRIS systems. Trigger: "workhuman prod checklist".
wispr-prod-checklist
Wispr Flow prod checklist for voice-to-text API integration. Use when integrating Wispr Flow dictation, WebSocket streaming, or building voice-powered applications. Trigger: "wispr prod checklist".
windsurf-prod-checklist
Execute Windsurf production readiness checklist for team and enterprise deployments. Use when rolling out Windsurf to a team, preparing for enterprise deployment, or auditing production configuration. Trigger with phrases like "windsurf production", "windsurf team rollout", "windsurf go-live", "windsurf enterprise deploy", "windsurf checklist".
webflow-prod-checklist
Execute Webflow production deployment checklist — token security, rate limit hardening, health checks, circuit breakers, gradual rollout, and rollback procedures. Use when deploying Webflow integrations to production or preparing for launch. Trigger with phrases like "webflow production", "deploy webflow", "webflow go-live", "webflow launch checklist", "webflow production ready".
vercel-prod-checklist
Vercel production deployment checklist with rollback and promotion procedures. Use when deploying to production, preparing for launch, or implementing go-live and instant rollback procedures. Trigger with phrases like "vercel production", "deploy vercel prod", "vercel go-live", "vercel launch checklist", "vercel promote".
veeva-prod-checklist
Veeva Vault prod checklist for REST API and clinical operations. Use when working with Veeva Vault document management and CRM. Trigger: "veeva prod checklist".
vastai-prod-checklist
Execute Vast.ai production deployment checklist for GPU workloads. Use when deploying training pipelines to production, preparing for large-scale GPU jobs, or auditing production readiness. Trigger with phrases like "vastai production", "deploy vastai", "vastai go-live", "vastai launch checklist".
twinmind-prod-checklist
Complete production deployment checklist for TwinMind integrations. Use when preparing to deploy, auditing production readiness, or ensuring best practices are followed. Trigger with phrases like "twinmind production", "deploy twinmind", "twinmind go-live checklist", "twinmind production ready".
together-prod-checklist
Together AI prod checklist for inference, fine-tuning, and model deployment. Use when working with Together AI's OpenAI-compatible API. Trigger: "together prod checklist".
techsmith-prod-checklist
TechSmith prod checklist for Snagit COM API and Camtasia automation. Use when working with TechSmith screen capture and video editing automation. Trigger: "techsmith prod checklist".
supabase-prod-checklist
Execute Supabase production deployment checklist covering RLS, key hygiene, connection pooling, backups, monitoring, Edge Functions, and Storage policies. Use when deploying to production, preparing for launch, or auditing a live Supabase project for security and performance gaps. Trigger with "supabase production", "supabase go-live", "supabase launch checklist", "supabase prod ready", "deploy supabase", "supabase production readiness".
stackblitz-prod-checklist
Production checklist for WebContainer apps: headers, browser support, fallbacks. Use when working with WebContainers or StackBlitz SDK. Trigger: "stackblitz production".