Canvus REST API Changelog
v1.4
Targeting Canvus 26.05.x
New Endpoints
-
Annotation CRUD (widget-parented). Full CRUD for freehand stroke annotations attached to a widget at
/canvases/{id}/{type}/{widgetId}/annotations(collection) and/canvases/{id}/{type}/{widgetId}/annotations/{annotationId}(item). Methods:POST(create),GET(list and single fetch),PATCH(partial update),DELETE.{type}is one of the mutable widget endpoints:notes,images,browsers,videos,pdfs,anchors,video-inputs,ip-videos,rdp-connections,tables. Serialized properties:id,line_color,depth,page,points. Patchable:points,line_color,page. -
Annotation CRUD (canvas plane). Whiteboard-style strokes drawn on the canvas itself, not on a widget, use the singleton form at
/canvases/{id}/shared-canvas/annotations(collection) and/canvases/{id}/shared-canvas/annotations/{annotationId}(item). No widget ID in the path -- the server resolves the canvas's root node. Same methods and properties as the widget-parented form (minuspage, which is PDF-only).
New Parameters
-
pointsaccepts two encodings. Annotationpointsmay be supplied either as a base64-encodedFloat32Array(9 floats per node, little-endian: control-in x/y/z, anchor x/y/z, control-out x/y/z) or as a JSON array of 9-float arrays ([[cInX, cInY, cInZ, x, y, z, cOutX, cOutY, cOutZ], ...]). Automation callers can use the JSON form and avoid binary packing. -
?points=on GET. AnnotationGET(list and single) accepts an optionalpointsquery parameter:b64(default, for backward compatibility) orjsonto receive points as 9-float-per-node arrays.
New Attributes
-
Annotation
line_color-- string, required on create. Hex color with alpha in#RRGGBBAAform (e.g.#ff0000ff). -
Annotation
page-- integer, optional, PDF parents only. Scopes a stroke to a specific PDF page. Sendingpageon a non-PDF parent returns 400. Must be>= 1. Omitted from responses for non-PDF parents. -
Annotation
depth-- float, server-assigned and read-only. Returned for parity with widget serialization; clients should not set it on create.
v1.3
Targeting Canvus 26.04.x
Breaking Changes
-
Depth validation enforced.
PATCHrequests that setdepthbelow1.0now return 400 Bad Request. Previously, any float was accepted, and values like-1or0made widgets render behind the canvas background, permanently inaccessible from the UI. Migration: update any automation that sets depth below 1.0. -
View-only users receive 403 on writes.
PATCH,POST(create), andDELETErequests from view-only users now return 403 Forbidden. Previously, these returned 200 OK and silently dropped the write. Migration: check for view-only status before issuing writes, or handle 403 responses. -
PDF index validation.
PATCHrequests that set PDFindexto a negative value now return 400 Bad Request. Index0is the first page. Migration: ensure page index values are zero or positive. -
Image and video resize enforces aspect ratio.
PATCHrequests that changesizeon Image or Video widgets now enforce the current aspect ratio. The requested size is treated as a bounding box using longest-edge scaling. The response contains the corrected size values. Migration: read the response body to get the actual applied size. -
Video pause preserves playback position. When
PATCHchangesplayback_stateto"paused"without providingplayback_position, the server now computes the correct current position. Previously, pausing without an explicit position caused the video to jump back to where it started playing. Migration: clients that always sentplayback_positionas a workaround can remove that workaround.
New Widget Types
-
IP Video widgets. Full CRUD at
/canvases/{id}/ip-videos. Serialized properties:source,host-id,title. Patchable:title,source. -
RDP Connection widgets. Full CRUD at
/canvases/{id}/rdp-connections. Serialized properties:connection-name,host-id,content-id,title. Patchable:title,connection-name. -
Table widgets. Full CRUD at
/canvases/{id}/tableswith cell listing at/canvases/{id}/tables/{tableId}/cells. Creation accepts optionalgrid_size(default 2x2). Table cells exposecolumnandrowfields. -
VideoOutputAnchor. Now a fully typed widget in API responses with
titlein both GET serialization and PATCH handling. Type reported as"VideoOutputAnchor". -
Widget clone. Cross-canvas widget cloning is now live. POST to the typed endpoint (e.g.
/canvases/{id}/notes) withsource_canvas_idandsource_widget_idin the body to copy a widget from any accessible canvas. Supported types: Note, Image, Browser, Video, PDF, Anchor, Table. An optionallocationoverride sets the placement position.
New Attributes
-
Video
muted-- boolean, defaultfalse. Readable and patchable viaPATCH. Example:{"muted": true}. -
Video
duration-- float, seconds, default0.0. Read-only (populated by the desktop client's video decoder). Value is0.0if the video has not yet been decoded by any client.
New Parameters
auto_raiseon PATCH. All widget PATCH endpoints accept an optionalauto_raiseboolean (defaultfalse). Whentrue, sets the widget's depth tomaxSiblingDepth + 1.0, matching the UI's bring-to-front behavior.
New Endpoints
GET /canvases/{id}/uploads-folder-- lists assets uploaded viaPOST /uploads-folder. Previously, uploaded assets could not be distinguished from canvas-placed items.
Bug Fixes
-
Note title PATCH.
PATCHon Notes now accepts thetitlefield. Previously it was serialized in GET and set during creation, but PATCH silently ignored it. -
Note clone with auto text color. Cloning a Note whose text color was set to automatic (
auto_text_color: true) previously failed with "Can't set color when text color selection is automatic". Fixed: the clone path now drops the resolvedtext_colorvalue whenauto_text_coloris true, letting the server recompute it on the destination canvas. -
VideoInput title.
GETon VideoInput widgets now includestitle.PATCHon VideoInput now acceptstitle. -
TableCell row/column.
GETon TableCell widgets now includescolumnandrowfields derived from the cell index. Previously fell through to bare CanvasItem serialization. -
Note positioning with scale < 1. Fixed coordinate conversion where the 30px padding was added without being multiplied by the widget's scale factor. Notes placed via API at scale < 1 now appear at the correct position.
-
PDF re-render on size change. Changing a PDF widget's
sizevia the API now triggers a re-render at the new dimensions. Previously, the frame updated but the raster stayed at the initial load size. -
Cross-server canvas open permission denied. Fixed
syncUserAndServerInfo()to set theownerattribute for cross-server users, which was causingvalidateOwnerto reject commands. -
Video output error messages. Replaced generic error message with specific cases: widget not found (404), no canvas open (400), permission denied (403).
-
Reparenting without location warning. When
PATCHchangesparent_idwithoutlocation, the server now logs a warning about coordinates being reinterpreted in the new parent's coordinate space. -
Size validation.
PATCHrequests with zero or negative width/height are now rejected.
Infrastructure
- SSE keepalive interval now uses the configured
KeepAlivevalue instead of hardcoded 15 seconds. - Docker/Podman network trust is configurable via
TrustedProxyNetworkssetting (list of CIDRs, default["172.0.0.0/8"]). - TLS cipher suite hardened: removed non-forward-secrecy ciphers, retained only ECDHE suites.
- HTTP-to-HTTPS redirect changed from 307 Temporary to 308 Permanent.
- Deprecated Go
ioutilAPIs replaced with modern equivalents. - Error response fallback no longer returns silent
{}on JSON marshal failure.
Documentation
view_rectanglecoordinate system documented: canvas coordinate space, width/scale authoritative, height re-derived from display aspect ratio, SET response returns post-correction values.
v1.2
- Added unauthenticated access for link-shared canvases and
link_permissionattribute to thepermissionsendpoint. - Added
/uploads-folderendpoint. - Added
/send-test-emailendpoint. - Added
titleparameter for Notes. - Filter out the ID of the currently open canvas in the Client API if the user who makes the request doesn't have access to that canvas.
- Added
server_nameattribute to the/server-config.
v1.1
- Removed
inifile tokens, made authentication mandatory for most endpoints. - Added
/login,login/samland/logoutendpoints. - Added users and groups management API.
- Added
/permissionsendpoints for canvases and folders. - Added DELETE
/childrenfor folders. - Added
mode(demo or normal) attribute for canvases. - Added
/saveand/restoreendpoints for canvases. - Added
/previewfor canvases. - Added API tokens management API.
- Added license management API.
- Added audit log API.
- Added
/server-configendpoint. - Applied permissions model to the Client API.
- Added
/open-canvasendpoint for workspaces. - Added
user-emailandserver-idattributes to the/workspace.
v1.0
- Initial release of the Canvus REST API.
- Canvas, note, image, video, PDF, browser, and widget CRUD.
- Client and workspace read endpoints.
- File upload and download for media assets.