Data APIIntroductionAuthentication

Site Token

Create an Site API token.

Site tokens provide access to site-specific resources via the Webflow Data API.

Site tokens are required to authenticate requests to the Webflow Data API. Each token acts as a unique identifier and password, allowing Webflow to verify:

  • Who is making the request
  • What they’re allowed to do through scopes and permissions
  • Which sites and workspaces they’re accessing

You’ll need to include your site token in the “Authorization” header of every API request. You’ll see how to do this in the examples below.


Creating a site token

Site administrator access required

Only site administrators are authorized to create a site token. If you’re not a site administrator, please contact one to create the token for you.

  1. In your workspace, find the site you want to create a token for and click the gear icon to open the site settings.

  2. In the left sidebar of your site’s settings, select Apps & integrations. Scroll to the bottom of the page to the API access section.

  3. Click Generate API token.

  4. Enter a name for your token, and choose the scopes needed for your use case.

  5. Click “Generate token.”

  6. Copy the generated token to your clipboard and save it in a secure location.


Limitations

  • API tokens expire after 365 consecutive days of inactivity. Any API call made with the token before expiry will reset the inactivity period.
  • Site tokens are created per site. If you’re looking to build an integration that works across multiple sites, consider creating a Webflow App.
  • Each site can have up to 5 tokens. This limit ensures manageable token access and security.
  • Site tokens do not grant access to the following endpoints:
    • Authorization endpoints
    • Custom code endpoints
    • Workspace Activity log endpoints

Using a site token

Now that you have your site token, you can start making requests to the Webflow Data APIs.

Example

request
$curl --request GET \
>  --url https://api.webflow.com/v2/sites \
>  --header 'accept: application/json' \
>  --header 'authorization: Bearer YOUR_API_TOKEN'

This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.

Example API response

Here’s an example of what a response from the Webflow API might look like:

Response
1{
2   "id": "42e98c9a982ac9b8b742",
3   "workspaceId": "42e63e98c9a982ac9b8b742",
4   "displayName": "The Hitchhiker's Guide to the Galaxy",
5   "shortName": "hitchhikers-guide",
6   "previewUrl": "https://screenshots.webflow.com/sites/6258612d1ee792848f805dcf/20231219211811_d5990556c743f33b7071300a03bf67e6.png",
7   "timeZone": "Magrathea/FactoryFloor",
8   "createdOn": "1979-10-12T12:00:00.000Z",
9   "lastUpdated": "2023-04-02T12:42:00.000Z",
10   "lastPublished": "2023-04-02T12:42:00.000Z",
11   "parentFolderId": "1as2d3f4g5h6j7k8l9z0x1c2v3b4n5m6",
12   "customDomains": [
13      {
14         "id": "589a331aa51e760df7ccb89d",
15         "url": "hitchhikersguide.galaxy"
16      },
17      {
18         "id": "589a331aa51e760df7ccb89e",
19         "url": "heartofgold.spaceship"
20      }
21   ],
22   "locales": {
23      "value": {
24         "primary": {
25            "id": "653fd9af6a07fc9cfd7a5e57",
26            "cmsLocaleId": "653ad57de882f528b32e810e",
27            "enabled": false,
28            "displayName": "English (United States)",
29            "displayImageId": null,
30            "redirect": true,
31            "subdirectory": "",
32            "tag": "en-US"
33         },
34         "secondary": [
35            {
36               "id": "653fd9af6a07fc9cfd7a5e56",
37               "cmsLocaleId": "653fd9af6a07fc9cfd7a5e5d",
38               "enabled": true,
39               "displayName": "French (France)",
40               "displayImageId": null,
41               "subdirectory": "fr-fr",
42               "tag": "fr-FR"
43            },
44            {
45               "id": "654112a3a525b2739d97664c",
46               "cmsLocaleId": "654112a3a525b2739d97664f",
47               "enabled": true,
48               "displayName": "Spanish (Mexico)",
49               "displayImageId": null,
50               "subdirectory": "es-mx",
51               "tag": "es-MX"
52            }
53         ]
54      }
55   }
56}

Revoking a site token

To revoke a site token:

  1. Go to Site settings > Apps & integrations > API access.
  2. Find your site token
  3. Select the “revoke” button
Revoke site token

Revoking a site token is an additional security measure for your Webflow site. This process disables the token, preventing any further access or use. You should consider revoking a site token in the following situations:

  • Security Concerns: If there’s a potential security issue, revoke the token immediately.
  • Administrator Changes: If an administrator leaves or their role changes, revoke their token to maintain security.
  • Token Management: Regularly review and revoke tokens that are no longer needed.

Best practices

  • Mint tokens for each use case: Instead of reusing tokens, generate a new token for each specific use case to maintain better security and control.
  • Rotate tokens periodically: Regularly update and revoke old tokens to maintain security.
  • Be Descriptive: Name your tokens something descriptive and meaningful to easily identify their purpose.
  • Minimal Scopes: Generate tokens with the minimal scopes needed for your use case. Mint a new one if you need to add new scopes. This limits the potential impact if a token is compromised.

Troubleshooting and FAQs

Site tokens are valid until they’re manually revoked or after 365 days of inactivity.

Yes, you can generate a new token at any time from the API access section in your site settings.

You will need to generate a new one and update any integrations using the old token.