diff --git a/crates/kingfisher-rules/data/rules/calcom.yml b/crates/kingfisher-rules/data/rules/calcom.yml
index 97380a4..3efe9ec 100644
--- a/crates/kingfisher-rules/data/rules/calcom.yml
+++ b/crates/kingfisher-rules/data/rules/calcom.yml
@@ -5,7 +5,7 @@ rules:
       (?x)
       \b
       (
-        cal(?:_live)?_[A-Za-z0-9]{24,44}
+        cal(?:_live)?_[A-Za-z0-9]{32}
       )
       \b
     pattern_requirements:
@@ -13,8 +13,7 @@ rules:
     min_entropy: 3.0
     confidence: medium
     examples:
-      - 'CAL_API_KEY=cal_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'
-      - 'CAL_API_KEY=cal_live_a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6'
+      - 'CAL_API_KEY=cal_live_f1ec52a0b268e00fe30b63e96115c8df'
       - 'Authorization: Bearer cal_live_xK8m2LpQr5nW0vYz3cJ7aB4dE6fG8h'
     references:
       - https://cal.com/docs/api-reference/v2/introduction
diff --git a/crates/kingfisher-rules/data/rules/canva.yml b/crates/kingfisher-rules/data/rules/canva.yml
index 1b41e42..9afdaa4 100644
--- a/crates/kingfisher-rules/data/rules/canva.yml
+++ b/crates/kingfisher-rules/data/rules/canva.yml
@@ -1,11 +1,38 @@
 rules:
+  - name: Canva Connect API Client ID
+    id: kingfisher.canva.2
+    pattern: |
+      (?xi)
+      \b
+      (?:canva|CANVA_CLIENT_ID)
+      (?:.|[\n\r]){0,32}?
+      (?:client[_\s-]*id|app[_\s-]*id)
+      (?:.|[\n\r]){0,16}?
+      \b
+      (
+        OC-[A-Za-z0-9_-]{8,32}
+      )
+      \b
+    pattern_requirements:
+      min_digits: 1
+      min_uppercase: 2
+      min_lowercase: 2
+    min_entropy: 2.5
+    confidence: medium
+    visible: false
+    examples:
+      - 'canva client id: OC-AZ2dqZiY_lec'
+      - 'CANVA_CLIENT_ID=OC-FAB12-AbCdEf'
+    references:
+      - https://www.canva.dev/docs/connect/authentication/
+
   - name: Canva Connect API Client Secret
     id: kingfisher.canva.1
     pattern: |
       (?x)
       \b
       (
-        cnvca[a-zA-Z0-9_-]{20,80}
+        cnvca[a-zA-Z0-9_-]{51}
       )
       \b
     pattern_requirements:
@@ -14,10 +41,34 @@ rules:
     confidence: medium
     categories: [api, key]
     examples:
-      - 'CANVA_CLIENT_SECRET=cnvcaAbCdEfGhIjKlMnOpQrStUvWxYz123456'
+      - 'CANVA_CLIENT_SECRET=cnvcav3RRFkl36rsXClN3-Dsygjl_oGT1-xMhXV70oxnGi6s811bfada'
+    depends_on_rule:
+      - rule_id: kingfisher.canva.2
+        variable: CLIENT_ID
     references:
       - https://www.canva.dev/docs/connect/authentication/
+      - https://www.canva.dev/docs/connect/api-reference/authentication/generate-access-token/
       - https://www.canva.dev/docs/connect/guidelines/security/
-    # No standalone validation is added: Canva Connect client secrets are used
-    # in OAuth flows that require the matching client_id and PKCE flow state.
+    validation:
+      type: Http
+      content:
+        request:
+          method: POST
+          url: https://api.canva.com/rest/v1/oauth/token
+          headers:
+            Content-Type: application/x-www-form-urlencoded
+            Accept: application/json
+          body: "grant_type=authorization_code&client_id={{ CLIENT_ID | url_encode }}&client_secret={{ TOKEN | url_encode }}&code_verifier=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789-._~abcdefgh&code=invalid"
+          response_matcher:
+            - report_response: true
+            - type: StatusMatch
+              status: [400]
+            - type: JsonValid
+            - type: WordMatch
+              words:
+                - '"invalid_grant"'
+            - type: WordMatch
+              words:
+                - '"invalid_client"'
+              negative: true
     # No programmatic client-secret revocation endpoint is documented.