This is an old documentation. Go to the latest Customer's Canvas docs


Security in Web API

Customer's Canvas supports two security models that are based on either user tokens or security keys.

The first model assumes client-server communications and requires you to create authorization tokens for a single user to use the Web API for the private image gallery, for example. After that, you should send this token along with the userId to protect the request.

Another model supposes that requests are sent to the Web API from only the backend and requires you to send a secret key in the request header. When you use such Web API controllers as Fonts or ProductTemplates, your HTTPS requests must include the X-CustomersCanvasAPIKey: "UniqueSecurityKey" field in its header. "UniqueSecurityKey" is an arbitrary string, but it must be a unique value, which you define in the Configuration\AppSettings.config file.

    <add key="ApiSecurityKey" value="UniqueSecurityKey" />

Customer's Canvas allows you to enable or disable authentication and HTTP support for a single request. You can define your security policy in the Configuration\AuthSettings.config file. For example, to disable checking the security key for the api/ProductTemplates/Designs and api/ProductTemplates/Mockups endpoints, you can set authRequired to false for these routes:

    name="Getting the list of Designs"

    name="Getting the list of Mockups"

Note that these routes must be configured before the api/ProductTemplates/{*} route in AuthSettings.config.


All snippets in this section define this security key in JavaScript code. It could be highly insecure if they are run on a public site. However, you can use them this way in your admin panel, or just for demonstration purposes.

For real applications, there should be a back-end code that, like a proxy, sends requests to the controllers. So, your code decides whether a user has enough rights to manipulate templates/fonts/images or not, and if the user has enough rights, the code sends the request to the corresponding controller.

Now, let us refer to the Web API for working with the Design Editor.

In This Section

Design and Mockup Files
State Files
User Images
Personalized Rendering
Authentication with Tokens
Private Image Gallery
Webhooks for State Files