Authentication
Make authenticated requests to the Webflow API
In this guide, we’ll walk you through the options for authenticating requests to the Webflow API, including the different methods available and how to choose the best approach for your needs.
Why authentication is important
Authentication is a critical aspect of interacting with the Webflow API. It ensures that every request is secure and properly authorized, protecting both user data and the integrity of the platform. Here are the key reasons why authentication is essential:
- Identity verification
Authentication verifies the identity of the user or App making the request. This ensures that only authorized entities can access Webflow data. - Access control
It ensures that the requester has the necessary permissions to perform the desired actions. This prevents unauthorized access and modifications to sensitive data. - Data protection
By securing API requests, authentication helps protect user data from malicious activities. It ensures that data is accessed and modified only by those who are permitted.
Getting a token
To access the Webflow API, you need to authenticate your requests using a bearer token, which must be included in the authorization header of each API request. There are types of bearer tokens you can create: Site Tokens and OAuth tokens. Each method is suited to different use cases, and choosing the right one depends on your specific needs.
Site Token
Quickstart Tip
If you’re eager to explore the API without setting up full authentication, use our API playground available in the API reference. Authenticate once and make requests directly from the documentation.
Sending a request
Sending a request to the Webflow API v2 is straightforward. Include your bearer token in the Authorization header:
Replace YOUR_TOKEN
with your actual API token. This setup authenticates your request, allowing access to Webflow resources.
For information on handling responses, including potential errors, please refer to our Error Handling section.
Revoking a token
To maintain the security of your integration, it’s important to revoke access tokens when they are no longer needed or if you suspect they have been compromised. Revoking a token immediately invalidates it, ensuring that it can no longer be used to access the Webflow API.
You can revoke tokens programmatically through the Webflow API or manage them directly within the Webflow dashboard.
Site Token
OAuth Token
Webflow users can remove Site Tokens from the Site Settings. This ensures that unused tokens are securely revoked.
Securing and storing your API tokens
When working with the Webflow API, safeguarding your API tokens is critical to maintaining the security and integrity of your application. API tokens are like passwords for your application—they provide access to sensitive data and actions. Protecting them is essential to prevent unauthorized use and potential security breaches.
Best practices for token security
- Use environment variables
Store API tokens in environment variables rather than in your source code. This reduces the risk of accidentally exposing tokens, especially if your code is shared or made public. - Regular token rotation and revocation
Regularly rotate your API tokens to minimize risk. If you suspect a token has been compromised, revoke it immediately and generate a new one.
Troubleshooting
Despite best efforts, issues with API tokens can still occur. Here are common pitfalls and tips to resolve them:
Debugging tips
- Log and review error messages to identify where the authentication process is breaking down.
- Start with minimal scopes to test and gradually increase permissions as needed.
- Verify that your requests include the authorization header with the token.