TOC Navbar
Webflow logo vector black

OAuth

OAuth2 is a defined authorization spec that we utilize to enabled 3rd party applications to integrate with Webflow. Before interacting with the API, developers should register their applications where a client_id and client_secret will be generated.

Webflow supports the defined authorization code grant so applications built to integrate with Webflow should implement the flow as defined below whereby first retrieving an authorization code (after a user approves the request) which then will be exchanged for an access token to be used on all subsequent requests.

User authorization

Direct a user to the authorization URL with the correct parameters specified. When they accept or deny the authorization request, the user will be redirected back to the redirect_url provided during OAuth Application setup.

Request

GET https://webflow.com/oauth/authorize

PARAMETER DESCRIPTION
client_id Unique ID for your application. Can be found in the dashboard
response_type Always should be ‘code’
state A token value provided by your application for CSRF protection

The final URL should look like this, but substituted with your own client_id and optional state parameters: https://webflow.com/oauth/authorize/?client_id=8151ef1a5613fe2340e62395008595d23b31e15edfd0c5b1a49ad3560d5ca16b&response_type=code


You receive the response to the authorization request via the redirect URL you specify during application setup and can be updated in the dashboard

Response

PARAMETER DESCRIPTION
code Authorization code used to retrieve an access_token for the user. Can only be used once.
state Same as the original value if provided.

Error Response

PARAMETER DESCRIPTION
state Same as the original value if provided.
error An error code specifying which error occured.
error_description Human readable description of the error that occured.

Request access token

curl https://api.webflow.com/oauth/access_token \
    -d client_id="8151ef1a5613fe2340e62395008595d23b31e15edfd0c5b1a49ad3560d5ca16b" \
    -d client_secret="94cd4c5ac02604185a4ce2bca3f46c14c60ed9c5df86f76b43089997d8febfcf" \
    -d code="c64a5accd53542c485e97a90e287ac18f522ec828947696fb13feb5255e3c42f" \
    -d grant_type="authorization_code" \

{
  "token_type": "bearer",
  "access_token": "79f75b59455167fdb72d3f777409d390a3a93c048539ec6ddc34327cb312627e"
}
  • Once the code has been retrieved from the redirect url, to finalize the authorization, your application must request an access_token.
  • The access_token request should be made as soon as possible after authorization as unconfirmed authorizations are only valid for 30 minutes.

Request

  • POST https://api.webflow.com/oauth/access_token
PARAMETER DESCRIPTION
client_id Unique ID for your application. Can be found in the dashboard
client_secret Private value unique to your application. Can be found in the dashboard
code Authorization code used to retrieve an access_token for the user. Can only be used once.
grant_type Always should be “authorization_code”

Response

PARAMETER DESCRIPTION
token_type Always will be “bearer”
access_token Token to use when making API requests on behalf of a user

Error Response

PARAMETER DESCRIPTION
error An error code specifying which error occured.
error_description Human readable description of the error that occured.

API Keys

In addition to the authorization code grant, it also is possible to get access_tokens for personal applications.

If you are developing a private integration to Webflow and you are only interacting with your own account, there is a simplified process for getting an access_token without having to register and OAuth application and implement the full authorization code grant flow. You simply can generate an API key (equivalent to an access_token) from the Webflow dashboard.

API keys may be either generated on a per-site basis, or as a team-wide api key (by the owner of the team).

Keep in mind, API keys are effectivley the same as your Webflow password, so be sure to treat them with the same level of care!

Site API Keys

To generate an API key for a site, open the site in the dashboard and navigate to the “Settings” pane. There is a section titled “API Access”, where you can generate a new API key.

Team API Keys

To generate an API key for a team, open the team in the dashboard and navigate to the “Settings” pane. There is a section titled “API Access”, where you can generate a new API key.

OAuth Applications

Register an application

Applications may be registered to either a user or to a team.

User

To register an application as a user, open the integrations tab of account settings and click the “Register New Application” button.

Teams

To register an application as a team, open the settings page for your team by clicking on it in the teams overview page. Then navigate to the integrations section and click the “Register New Application” button.


The following fields are required for registration:

FIELDS DESCRIPTION
Application Name The name of the application that will appear when someone authorizes your application.
Application Description A short description that will appear to users on the authorization request page.
Redirect URL The URL we redirect users to after they approve / deny the authorization request. URL must begin with https and served with SSL.
Application Homepage A link to the homepage of your application.


Upon registration you should see the client_id and client_secret tokens for your application. You will need these in order to create authorizations for users with your application.

OAuth Errors

Errors returned in the querystring to the redirect URL setup for your application

Authorization Errors

Error Code Description
invalid_request
unsupported_response_type
access_denied

Errors returned by the API for the POST /oauth/access_token endpoint

Access code errors

Error Code Description
unsupported_grant_type grant_type should always be specified as the string: authorization_code
invalid_client No OAuth application found matching the provided credentials
invalid_grant Provided code was invalid