[2026-03-25] Release: Update Connect API Starter Kit (#32)

Release: Update Connect API Starter Kit

Generated on: Wed Mar 25 23:13:40 UTC 2026
Source commit: 5ae1436ccb190c6a32d44e795a589280a7829bc5

Co-authored-by: canva-sdk-releases[bot] <227329455+canva-sdk-releases[bot]@users.noreply.github.com>

Author: canva-sdk-releases[bot]

.nvmrc

@@ -1 +1 @@
-20.14.0
+lts/krypton

CHANGELOG.md

@@ -1,5 +1,16 @@
 # Changelog
 
+## 2026-03-26
+
+### 🔧 Changed
+
+- Updated the `.nvmrc` to recommend Node.js lts/krypton (v24) and all `@types/node` dependencies to `24.12.0`.
+- Upgrade examples/backend/typescript-express `better-sqlite3` from `8.5.0` -> `12.8.0` (to suit later node.js versions 22 & 24).
+
+### 🐞 Fixed
+
+- Fixed OAuth token exchange in the demos failing with `bad_request_body`. The `bodySerializer` override passed to `OauthService.exchangeAccessToken` and `OauthService.revokeTokens` was calling `.toString()` on a plain object, producing `"[object Object]"` as the request body. The SDK already applies the correct `urlSearchParamsBodySerializer` to these endpoints, so the manual overrides have been removed.
+
 ## 2026-03-19
 
 ### 🔧 Changed

README.md

@@ -6,8 +6,8 @@ This repo contains our OpenAPI specifications, as well as a demo ecommerce web a
 
 ## Requirements
 
-- Node.js `v20.14.0`
-- npm `v9` or `v10`
+- Node.js `v24`
+- npm `v11`
 
 **Note:** To make sure you're running the correct version of Node.js, we recommend using a version manager, such as [nvm](https://github.com/nvm-sh/nvm#intro). The [.nvmrc](/.nvmrc) file in the root directory of this repo will ensure the correct version is used once you run `nvm install`.
 

demos/common/backend/services/client.test.ts

@@ -0,0 +1,81 @@
+import { OauthService } from "@canva/connect-api-ts";
+import { createClient } from "@canva/connect-api-ts/client";
+
+const mockClient = createClient({
+  baseUrl: "https://api.canva.com",
+  headers: { Authorization: "Basic aaaaaaaa" },
+});
+
+describe("OAuth service body serialization", () => {
+  let mockFetch: jest.Mock;
+
+  beforeEach(() => {
+    mockFetch = jest.fn();
+    global.fetch = mockFetch;
+  });
+
+  afterEach(() => {
+    jest.restoreAllMocks();
+  });
+
+  describe("exchangeAccessToken", () => {
+    it("serializes the request body as application/x-www-form-urlencoded", async () => {
+      mockFetch.mockResolvedValue(
+        new Response(
+          JSON.stringify({
+            access_token: "tok",
+            refresh_token: "ref",
+            token_type: "Bearer",
+            expires_in: 3600,
+          }),
+          { status: 200, headers: { "Content-Type": "application/json" } },
+        ),
+      );
+
+      await OauthService.exchangeAccessToken({
+        client: mockClient,
+        body: {
+          grant_type: "authorization_code",
+          code: "test-code",
+          code_verifier: "test-verifier",
+          redirect_uri: "http://localhost:3001/oauth/redirect",
+        },
+      });
+
+      const request = mockFetch.mock.calls[0][0] as Request;
+      const body = await request.text();
+      const parsed = Object.fromEntries(new URLSearchParams(body));
+
+      expect(parsed.grant_type).toBe("authorization_code");
+      expect(parsed.code).toBe("test-code");
+      expect(parsed.code_verifier).toBe("test-verifier");
+      expect(parsed.redirect_uri).toBe("http://localhost:3001/oauth/redirect");
+      // Regression guard: plain object .toString() returns "[object Object]"
+      expect(body).not.toBe("[object Object]");
+    });
+  });
+
+  describe("revokeTokens", () => {
+    it("serializes the request body as application/x-www-form-urlencoded", async () => {
+      mockFetch.mockResolvedValue(new Response(null, { status: 200 }));
+
+      await OauthService.revokeTokens({
+        client: mockClient,
+        body: {
+          client_id: "my-client-id",
+          client_secret: "my-client-secret",
+          token: "test-refresh-token",
+        },
+      });
+
+      const request = mockFetch.mock.calls[0][0] as Request;
+      const body = await request.text();
+      const parsed = Object.fromEntries(new URLSearchParams(body));
+
+      expect(parsed.client_id).toBe("my-client-id");
+      expect(parsed.token).toBe("test-refresh-token");
+      // Regression guard: plain object .toString() returns "[object Object]"
+      expect(body).not.toBe("[object Object]");
+    });
+  });
+});

demos/common/backend/services/client.ts

@@ -35,13 +35,7 @@ export async function getAccessTokenForUser(
 
   const result = await OauthService.exchangeAccessToken({
     client: getBasicAuthClient(),
-    // by default, the body is JSON stringified, but given this endpoint expects form URL encoded data
-    // we need to override the `bodySerializer`
     body: params,
-    bodySerializer: (params) => params.toString(),
-    headers: {
-      "Content-Type": "application/x-www-form-urlencoded",
-    },
     baseUrl: process.env.BASE_CANVA_CONNECT_API_URL,
   });
 

demos/common/package.json

@@ -39,7 +39,7 @@
     "@types/cors": "2.8.19",
     "@types/express": "4.17.21",
     "@types/multer": "2.0.0",
-    "@types/node": "20.19.2",
+    "@types/node": "24.12.0",
     "@types/nodemon": "1.19.6",
     "@types/yargs": "17.0.33",
     "prettier": "3.6.2",

demos/ecommerce_shop/backend/package.json

@@ -27,7 +27,7 @@
     "@types/cors": "2.8.19",
     "@types/express": "4.17.21",
     "@types/multer": "2.0.0",
-    "@types/node": "20.19.2",
+    "@types/node": "24.12.0",
     "prettier": "3.6.2",
     "typescript": "5.9.2"
   }

demos/ecommerce_shop/backend/routes/auth.ts

@@ -76,12 +76,6 @@ router.get(endpoints.REDIRECT, async (req, res) => {
     const result = await OauthService.exchangeAccessToken({
       client: getBasicAuthClient(),
       body: params,
-      // by default, the body is JSON stringified, but given this endpoint expects form URL encoded data
-      // we need to override the `bodySerializer`
-      bodySerializer: (params) => params.toString(),
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
     });
 
     if (result.error) {
@@ -207,13 +201,7 @@ router.get(endpoints.REVOKE, async (req, res) => {
 
     await OauthService.revokeTokens({
       client: getBasicAuthClient(),
-      // by default, the body is JSON stringified, but given this endpoint expects form URL encoded data
-      // we need to override the `bodySerializer`
       body: params,
-      bodySerializer: (params) => params.toString(),
-      headers: {
-        "Content-Type": "application/x-www-form-urlencoded",
-      },
     });
   } catch (e) {
     console.log(e);

demos/ecommerce_shop/package.json

@@ -33,7 +33,7 @@
     "@eslint/js": "9.34.0",
     "@types/cookie-parser": "1.4.9",
     "@types/jest": "30.0.0",
-    "@types/node": "20.19.2",
+    "@types/node": "24.12.0",
     "@types/nodemon": "1.19.6",
     "@types/yargs": "17.0.33",
     "@typescript-eslint/eslint-plugin": "8.41.0",

demos/playground/backend/package.json

@@ -27,7 +27,7 @@
     "@types/cors": "2.8.19",
     "@types/express": "4.17.21",
     "@types/multer": "2.0.0",
-    "@types/node": "20.19.2",
+    "@types/node": "24.12.0",
     "prettier": "3.6.2",
     "typescript": "5.9.2"
   }