function readOnly(count){ }
Starting November 20, the site will be set to read-only. On December 4, 2023,
forum discussions will move to the Trailblazer Community.
+ Start a Discussion

Canvas Developer Guide / Deploy the Web App to Heroku

Hi, All

Try to run canvas app in Salesforce after deploy the Web App to Heroku. But in salesforce get "This App must be invoked via a signed request" instead the message Hello User.FullName. Following all instructions during Canvas Developer Guide. (


<%@ page import="canvas.SignedRequest" %>
<%@ page import="java.util.Map" %>
    // Pull the signed request out of the request body and verify/decode it.
    Map<String, String[]> parameters = request.getParameterMap();
    String[] signedRequest = parameters.get("signed_request");
    if (signedRequest == null) {%>
        This App must be invoked via a signed request!<%
    String yourConsumerSecret=System.getenv("CANVAS_CONSUMER_SECRET");
    //String yourConsumerSecret="1818663124211010887";
    String signedRequestJson = SignedRequest.verifyAndDecodeAsJson(ssignedRequet[0], yourConsumerSecret);

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "">
<html xmlns="" lang="en">

    <title>Hello World Canvas Example</title>

    <link rel="stylesheet" type="text/css" href="/sdk/css/canvas.css" />

    <!-- Include all the canvas JS dependencies in one file -->
    <script type="text/javascript" src="/sdk/js/canvas-all.js"></script>
    <!-- Third part libraries, substitute with your own -->
    <script type="text/javascript" src="/scripts/json2.js"></script>

        if (self === top) {
            // Not in Iframe
            alert("This canvas app must be included within an iframe");

        Sfdc.canvas(function() {
            var sr = JSON.parse('<%=signedRequestJson%>');
            // Save the token
            Sfdc.canvas.byId('username').innerHTML = sr.context.user.fullName;

    <h1>Hello <span id='username'></span></h1>

Please help
NagendraNagendra (Salesforce Developers) 
Hi Konstruktor,

First and foremost sincerely regret delayed reply.

To the original question. Is the canvas app is using self-authorization rather than admin-approved users then the first access to the app will be as part of the OAuth flow rather than a POST with the signed request.

You would need to detect this and complete the OAuth flow first before the signed-request POST will occur.

Kindly mark this post as solved if the information help's so that it gets removed from the unanswered queue which results in helping others who are really in need of it.

Best Regards,