Get a Site Token

Site tokens grant access to the Webflow Data API for a specific site, making it possible to programmatically retrieve and manage your CMS data, handle form submissions, set up webhooks for event notifications, and more.

This approach is ideal for site owners looking to create personalized integrations tailored to their specific needs. If you’re building an internal tool, a site API token offers a quick and easy solution. However, for integrations intended for broader use, consider building a Webflow App that authenticates via OAuth.

What is a site token?

A site token is a unique identifier that provides access to a specific site’s information via the Webflow Data API. When you make a request to Webflow’s APIs, you need to provide a site token to authenticate. Similar to a password, a site token (also known as an “API key” or “access token”) identifies the entity making a request to an API, as well as actions that entity can perform through its scopes and permissions.

Using a site token, you can:

  • Access CMS Data: Retrieve, create, update, and delete CMS items directly from your external applications.
  • [Handle Form Submissions:]https://developers.webflow.com/data/reference/forms/get-submission) Collect form data submissions and manage them programmatically.
  • Set Up Webhooks: Receive real-time notifications about events happening on your site, such as form submissions or changes to CMS content.
  • Integrate with 3rd Party Services and Internal Tools: Seamlessly connect your Webflow site with your own internal tools and platforms to automate workflows and enhance functionality.

By leveraging site tokens, you can build custom integrations that cater to your specific needs, whether it’s automating content updates or syncing data across platforms.

Key Points to Remember:

Security: Treat your site token like a password. Store it securely and avoid sharing it publicly.

Permissions: Customize the scopes of your token to control which parts of your site it can access and what actions it can perform. Remember to ask only for the scopes you need.

Creating a site token

To create a site token:

  1. Go to Site settings > Apps & integrations > API access.
  2. Click Generate API token.
  3. Enter a name for your API token.
  4. Choose the permissions you want the API token to have for each of Webflow’s APIs
    (i.e., no access, read-only, or read and write).
  5. Click Generate token.
  6. Copy the generated token to your clipboard.

Limitations

Site tokens are created per site. If you’re looking to build an integration that works across multiple sites, consider creating a Webflow App. Site tokens do not grant access to:

  • Authorization endpoints.
  • Custom code endpoints.

Using a site token

Now that you have your site token, you can start making requests to the Webflow Data APIs. Here’s how to get started.

Making a Request with CURL

The simplest way to make a request is by using CURL. CURL is a command-line tool that allows you to transfer data to and from a server.

Example
1curl --request GET \
2 --url https://api.webflow.com/v2/sites \
3 --header 'accept: application/json' \
4 --header 'authorization: Bearer YOUR_API_TOKEN'

This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.


Example API Response

Here’s an example of what a response from the Webflow API might look like:

JSON
1{
2 "sites": [
3 {
4 "id": "42e63e98c9a982ac9b8b741",
5 "workspaceId": "42e63fc8c9a982ac9b8b744",
6 "createdOn": "1979-10-12T12:00:00.000Z",
7 "displayName": "Heart of Gold Spaceship",
8 "shortName": "heart-of-gold",
9 "lastPublished": "2023-04-02T12:42:00.000Z",
10 "previewUrl": "https://d1otoma47x30pg.cloudfront.net/42e63e98c9a982ac9b8b741/197910121200.png",
11 "timeZone": "DeepSpace/InfiniteImprobability",
12 "parentFolderId": "1as2d3f4g5h6j7k8l9z0x1c2v3b4n5m6",
13 "customDomains": [
14 {
15 "id": "589a331aa51e760df7ccb89e",
16 "url": "heartofgold.galaxy"
17 }
18 ],
19 "locales": {
20 "primary": {
21 "id": "653fd9af6a07fc9cfd7a5e57",
22 "cmsLocaleId": "653ad57de882f528b32e810e",
23 "enabled": true,
24 "displayName": "English - Heart of Gold Standard",
25 "redirect": false,
26 "subdirectory": "/en",
27 "tag": "The Ultimate Answer"
28 },
29 "secondary": [
30 {
31 "id": "653fd9af6a07fc9cfd7a5e58",
32 "cmsLocaleId": "653ad57de882f528b32e810g",
33 "enabled": true,
34 "displayName": "Betelgeusian - Vogon Liaison",
35 "redirect": true,
36 "subdirectory": "/bet",
37 "tag": "Vogon"
38 },
39 {
40 "id": "653fd9af6a07fc9cfd7a5e59",
41 "cmsLocaleId": "653ad57de882f528b32e810h",
42 "enabled": false,
43 "displayName": "Magrathean - Custom Planet Designs",
44 "redirect": true,
45 "subdirectory": "/mg",
46 "tag": "Magrathean"
47 }
48 ]
49 }
50 }, ]
51}

Best Practices

  • Always use HTTPS: Ensure that your token is transmitted securely.
  • Mint tokens for each use case: Instead of reusing tokens, generate a new token for each specific use case to maintain better security and control.
  • Rotate tokens periodically: Regularly update and revoke old tokens to maintain security.
  • Be Descriptive: Name your tokens something descriptive and meaningful to easily identify their purpose.
  • Minimal Scopes: Generate tokens with the minimal scopes needed for your use case. Mint a new one if you need to add new scopes. This limits the potential impact if a token is compromised.

Troubleshooting and FAQs

Site tokens are valid until they are manually revoked or after 365 days of inactivity.

Yes, you can generate a new token at any time from the API access section in your site settings.

You will need to generate a new one and update any integrations using the old token.

Built with