GPT-5.6 (Sol / Terra / Luna) is now evaluated on TrustVector โ€” with day-1 independent verification, incl. METR's benchmark-cheating findings.

Read the evaluation
Evaluation record ยท mcp-server-canva

Canva MCP Server (AI Connector)

v2026.7

Canva

MCPdesigncontent-creationcanvamcp
74
Adequate
About This MCP

Canva's official MCP server, branded the AI Connector, hosted at https://mcp.canva.com/mcp over streamable HTTP with per-user OAuth (CIMD supported; custom clients register redirect URIs via an allowlist). Around 32 tools cover design generation and editing, library search, asset upload, folders, comments, exports (PDF/PNG/JPG/PPTX/MP4), resize, and brand-template autofill. Feature-gated by plan: resize needs Pro+, autofill and brand kits need Enterprise. Closed source.

Last Evaluated: July 9, 2026
Official Website

Trust Vector Analysis

Dimension Breakdown

๐Ÿš€Performance & Reliability
+
design generation quality

Assessment of generated design fidelity against text specifications across formats and templates

Evidence
Canva MCP Tools Documentation โ€” generate-design creates designs from text specifications and transactional editing tools (start/perform/commit editing operations) apply structured changes; output fidelity depends on prompt specificity and template availability
mediumVerified: 2026-07-09
api reliability

Endpoint stability analysis on Canva's production platform infrastructure

Evidence
Canva MCP Documentation โ€” Single hosted endpoint at https://mcp.canva.com/mcp on Canva's production platform; promoted for ChatGPT, Claude, Codex, and Gemini integrations
mediumVerified: 2026-07-09
rate limit handling

Rate limiting behavior observation against published per-tool limits under sustained load

Evidence
Canva MCP Tools and Rate Limits Documentation โ€” Per-tool rate limits are published in requests per minute and are tight on generation and editing endpoints (commonly around 20 req/min), constraining sustained agentic workloads
highVerified: 2026-07-09
error recovery

Error handling testing across plan-gated tools, invalid operations, and aborted editing transactions

Evidence
Canva MCP Tools Documentation โ€” Transactional editing (start-editing-transaction, perform-editing-operations, commit-editing-transaction) isolates failed edits before commit; structured errors are returned for plan-gated tools and rate-limit hits
mediumVerified: 2026-07-09
large asset handling

Testing content retrieval and export on large multi-page designs and heavy asset libraries

Evidence
Canva MCP Tools Documentation โ€” Asset upload is by URL (upload-asset-from-url) rather than inline payloads; multi-page design content retrieval (get-design-content, get-design-pages) can produce large tool results on complex designs
mediumVerified: 2026-07-09
๐Ÿ›ก๏ธSecurity
+
authentication security

Review of OAuth flow, CIMD support, redirect-URI allowlisting, and per-user authentication requirements

Evidence
Canva MCP Documentation โ€” Per-user OAuth is mandatory (every user needs their own Canva account); Client ID Metadata Documents (CIMD) are recommended so clients need no pre-registration or secrets, and custom clients must have redirect URIs approved onto an allowlist after review
highVerified: 2026-07-09
scope limitation

Permission boundary testing across designs, folders, and brand assets the authenticated user can access

Evidence
Canva Help Center: AI Connector Setup โ€” Access mirrors the authenticated user's existing Canva permissions and plan entitlements (resize Pro+, autofill/brand kits Enterprise); there is no finer-grained read-only or per-folder scoping below the account level
mediumVerified: 2026-07-09
token exposure risk

Token storage and exposure-surface analysis for the hosted OAuth transport

Evidence
Canva MCP Documentation โ€” OAuth tokens are managed by the MCP client rather than pasted as static API keys; CIMD eliminates client secrets entirely, and no local credential storage is required for supported clients
mediumVerified: 2026-07-09
prompt injection risk

Threat modeling of untrusted design and comment content flowing into agent context via read tools

Evidence
Canva Help Center: MCP Actions โ€” Shared designs, team comments, and imported content are third-party-authored input; text read from shared designs or comment threads can act as an injection vector into the consuming agent
mediumVerified: 2026-07-09
unauthorized action risk

Authorization boundary testing of write-capable tools against shared designs and brand assets

Evidence
Canva MCP Tools Documentation โ€” Write tools can create and edit designs, move items between folders, post comments, upload assets, and (on Enterprise) autofill brand templates โ€” modifying shared brand assets without a server-side confirmation step beyond client-level approvals
mediumVerified: 2026-07-09
๐Ÿ”’Privacy & Compliance
+
design data exposure

Data flow analysis from Canva designs through MCP tool results to LLM providers

Evidence
Canva Help Center: MCP Actions โ€” Design content, text layers, comments, and brand assets returned by tools flow into the connected LLM provider's context; AI assistants can access what the user can view within existing permissions
highVerified: 2026-07-09
sensitive data protection

Assessment of filtering and redaction controls on extracted design content

Evidence
Canva MCP Usage Policy โ€” No built-in redaction of sensitive content embedded in designs (e.g., internal decks, financial figures in presentations, unreleased brand material); protection relies on the user connecting only appropriate accounts
mediumVerified: 2026-07-09
organization data control

Review of organizational access controls and admin policies applicable to MCP-connected accounts

Evidence
Canva AI Connector โ€” Access is per-user and bounded by existing workspace permissions; Canva states enterprise-grade security and organizational policies apply, and Enterprise admins control brand kit and template access
mediumVerified: 2026-07-09
third party data sharing

Analysis of downstream data sharing once content leaves the Canva boundary

Evidence
Canva Privacy Policy โ€” Design data retrieved via MCP is shared with whichever LLM provider the user's client uses, per that provider's data policy rather than Canva's
mediumVerified: 2026-07-09
๐Ÿ‘๏ธTrust & Transparency
+
documentation quality

Documentation completeness and accuracy review

Evidence
Canva MCP Documentation โ€” Dedicated developer documentation covering setup, the full tool catalog with per-tool rate limits, plan gating, usage policy, and Canva AI connector integration, plus Help Center guides for end users
highVerified: 2026-07-09
operation visibility

Logging and traceability assessment across client logs and Canva version history

Evidence
Canva Help Center: MCP Actions โ€” Design edits appear in version history and comments are attributed to the authenticated user, but there is no dedicated MCP audit log distinguishing agent actions from manual ones
mediumVerified: 2026-07-09
open source transparency

Source availability and independent verifiability review

Evidence
Canva MCP Documentation โ€” Server implementation is closed source and maintained by Canva; behavior can only be verified through documentation and observed tool output
highVerified: 2026-07-09
api coverage clarity

Comparison of documented tool surface against observed server capabilities

Evidence
Canva MCP Tools Documentation โ€” Roughly 32 tools are individually enumerated with rate limits and plan requirements: design generation/lookup, editing transactions, assets, folders, exports and formats, comments and replies, import from URL, and resize
highVerified: 2026-07-09
โš™๏ธOperational Excellence
+
ease of setup

Setup complexity assessment across first-party connectors, generic MCP clients, and custom clients

Evidence
Canva Help Center: AI Connector Setup โ€” Native connector flows exist for Claude and ChatGPT (add https://mcp.canva.com/mcp and complete OAuth); clients without remote MCP support use the mcp-remote shim, and custom clients must apply to register redirect URIs
highVerified: 2026-07-09
api performance

Latency observation across generation, editing, and export tool types

Evidence
Canva MCP Tools Documentation โ€” Design generation and export are heavyweight operations with latency scaling in design complexity and export format; tight per-minute limits cap parallel throughput
mediumVerified: 2026-07-09
reliability

Stability assessment of the hosted endpoint and change frequency of the tool surface

Evidence
Canva AI Connector โ€” Generally available as a promoted first-party product on Canva's production platform with named integrations (ChatGPT, Claude, and others); tool surface is still expanding
mediumVerified: 2026-07-09
feature coverage

Feature completeness assessment against design-workflow needs across plan tiers

Evidence
Canva MCP Tools Documentation โ€” Covers the core design lifecycle end to end: generate, edit transactionally, organize in folders, comment, resize (Pro+), autofill brand templates (Enterprise), and export to PDF/PNG/JPG/PPTX/MP4
highVerified: 2026-07-09
community adoption

Adoption analysis across MCP client ecosystems and integration platforms

Evidence
Canva AI Connector โ€” Promoted first-party integrations with ChatGPT, Claude, Codex, and Gemini, and third-party aggregators (Composio, StackOne, Zapier) ship Canva MCP connectors
mediumVerified: 2026-07-09
Strengths
  • +Per-user OAuth with CIMD support and a reviewed redirect-URI allowlist for custom clients
  • +Transactional editing model isolates and validates changes before commit
  • +Full design lifecycle coverage: generate, edit, organize, comment, resize, autofill, export
  • +Per-tool rate limits and plan requirements are transparently published
  • +Enterprise brand controls (brand kits, brand templates) integrate with existing admin governance
  • +Native connector flows in major assistants (Claude, ChatGPT) with mcp-remote fallback elsewhere
Limitations
  • !Closed source; server behavior cannot be independently audited
  • !Write access extends to shared designs and (on Enterprise) brand assets with no server-side confirmation
  • !Shared designs and comments are third-party-authored input and a prompt injection vector
  • !Design content, including sensitive text in internal decks, is sent to the LLM provider
  • !Key capabilities are plan-gated: resize requires Pro+, autofill and brand kits require Enterprise
  • !Tight per-tool rate limits (around 20 req/min on generation/editing) constrain agentic throughput
  • !No dedicated MCP audit log separating agent actions from manual edits
Metadata
license: Proprietary (closed source)
maintained by: Canva
status: Generally available (AI Connector); custom-client redirect URI registration is application-based
remote endpoint: https://mcp.canva.com/mcp
authentication: OAuth per user (CIMD recommended; no client secrets); custom clients register redirect URIs via an allowlist application
transport types
0: streamable-http (hosted)
installation methods
0: Remote MCP endpoint
1: Native Claude/ChatGPT connector
2: mcp-remote shim for stdio-only clients
pricing: Included with Canva plans; feature gating by tier โ€” resize requires Pro or above, brand-template autofill and brand kits require Enterprise (verified 2026-07-09)
tool count: ~32 documented tools with published per-tool rate limits
mcp version: 1.0

Use Case Ratings

content creation

Primary use case: generating, editing, and exporting marketing and presentation designs from natural language

creative writing

Useful for placing and revising copy within designs, though not a writing surface itself

customer support

Marginal fit; limited to producing visual collateral for support content

education

Strong for producing teaching materials, worksheets, and presentation decks conversationally

research assistant

Limited to searching the user's own design library and extracting design content