Authentication

Make authenticated requests to the Webflow API

In this guide, we’ll walk you through the options for authenticating requests to the Webflow API, including the different methods available and how to choose the best approach for your needs.

Why authentication is important

Authentication is a critical aspect of interacting with the Webflow API. It ensures that every request is secure and properly authorized, protecting both user data and the integrity of the platform. Here are the key reasons why authentication is essential:

  • Identity verification
    Authentication verifies the identity of the user or App making the request. This ensures that only authorized entities can access Webflow data.
  • Access control
    It ensures that the requester has the necessary permissions to perform the desired actions. This prevents unauthorized access and modifications to sensitive data.
  • Data protection
    By securing API requests, authentication helps protect user data from malicious activities. It ensures that data is accessed and modified only by those who are permitted.

Getting a token

To access the Webflow API, you need to authenticate your requests using a bearer token, which must be included in the authorization header of each API request. There are types of bearer tokens you can create: Site Tokens and OAuth tokens. Each method is suited to different use cases, and choosing the right one depends on your specific needs.

Site Token

Site Tokens provide a simple way to authenticate API requests for a specific Webflow site.


When to use

Best suited for internal tools and single-site integrations where you control the environment.


OAuth

OAuth Tokens are used for complex integrations that span multiple sites or require user-specific access.


When to use

Ideal for public integrations, Apps in the Webflow Marketplace, or any scenario requiring secure, user-specific access.


Quickstart Tip

If you’re eager to explore the API without setting up full authentication, use our API playground available in the API reference. Authenticate once and make requests directly from the documentation.

Sending a request

Sending a request to the Webflow API v2 is straightforward. Include your bearer token in the Authorization header:

cURL
1curl --request GET \
2 --url https://api.webflow.com/v2/sites \
3 --header 'accept: application/json' \
4 --header 'authorization: Bearer YOUR_TOKEN'

Replace YOUR_TOKEN with your actual API token. This setup authenticates your request, allowing access to Webflow resources.

For information on handling responses, including potential errors, please refer to our Error Handling section.

Revoking a token

To maintain the security of your integration, it’s important to revoke access tokens when they are no longer needed or if you suspect they have been compromised. Revoking a token immediately invalidates it, ensuring that it can no longer be used to access the Webflow API.

You can revoke tokens programmatically through the Webflow API or manage them directly within the Webflow dashboard.

Webflow users can remove Site Tokens from the Site Settings. This ensures that unused tokens are securely revoked.

Site Token Removal

Securing and storing your API tokens

When working with the Webflow API, safeguarding your API tokens is critical to maintaining the security and integrity of your application. API tokens are like passwords for your application—they provide access to sensitive data and actions. Protecting them is essential to prevent unauthorized use and potential security breaches.

Best practices for token security

  1. Use environment variables
    Store API tokens in environment variables rather than in your source code. This reduces the risk of accidentally exposing tokens, especially if your code is shared or made public.
  2. Regular token rotation and revocation
    Regularly rotate your API tokens to minimize risk. If you suspect a token has been compromised, revoke it immediately and generate a new one.

Troubleshooting

Despite best efforts, issues with API tokens can still occur. Here are common pitfalls and tips to resolve them:

Debugging tips

  • Log and review error messages to identify where the authentication process is breaking down.
  • Start with minimal scopes to test and gradually increase permissions as needed.
  • Verify that your requests include the authorization header with the token.