A site token is a unique identifier that provides access to site-specific information via the Webflow Data API.

When making a request, you’ll need to authenticate your request with an access token. Similar to a password, a site token (also known as an “API key” or “access token”) identifies the entity making a request to an API, as well as actions that entity can perform through its scopes and permissions.


Creating a site token

Note: Only site administrators are authorized to create a site token. If you’re not a site administrator, please contact one to create the token for you.

  1. Go to Site settings > Apps & integrations > API access.

  2. Click Generate token.

  3. Enter a name for your API token.

  4. Choose the permissions you want the API token to have for each of Webflow’s APIs
    (i.e., no access, read-only, or read and write).

  5. Click Generate token.

  6. Copy the generated token to your clipboard.


Limitations

  • API tokens expire after 365 consecutive days of inactivity. Any API call made with the token before expiry will reset the inactivity period.
  • Site tokens are created per site. If you’re looking to build an integration that works across multiple sites, consider creating a Webflow App.
  • Each site can have up to 5 tokens. This limit ensures manageable token access and security.
  • Site tokens do not grant access to the following endpoints:
    • Authorization endpoints
    • Custom code endpoints

Using a site token

Now that you have your site token, you can start making requests to the Webflow Data APIs.

The simplest way to make a request is by using cURL

Example

1curl --request GET \
2 --url https://api.webflow.com/v2/sites \
3 --header 'accept: application/json' \
4 --header 'authorization: Bearer YOUR_API_TOKEN'

This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.

Example API Response

Here’s an example of what a response from the Webflow API might look like:

Response
1{
2 "id": "42e98c9a982ac9b8b742",
3 "workspaceId": "42e63e98c9a982ac9b8b742",
4 "displayName": "The Hitchhiker's Guide to the Galaxy",
5 "shortName": "hitchhikers-guide",
6 "previewUrl": "https://screenshots.webflow.com/sites/6258612d1ee792848f805dcf/20231219211811_d5990556c743f33b7071300a03bf67e6.png",
7 "timeZone": "Magrathea/FactoryFloor",
8 "createdOn": "1979-10-12T12:00:00.000Z",
9 "lastUpdated": "2023-04-02T12:42:00.000Z",
10 "lastPublished": "2023-04-02T12:42:00.000Z",
11 "parentFolderId": "1as2d3f4g5h6j7k8l9z0x1c2v3b4n5m6",
12 "customDomains": [
13 {
14 "id": "589a331aa51e760df7ccb89d",
15 "url": "hitchhikersguide.galaxy"
16 },
17 {
18 "id": "589a331aa51e760df7ccb89e",
19 "url": "heartofgold.spaceship"
20 }
21 ],
22 "locales": {
23 "value": {
24 "primary": {
25 "id": "653fd9af6a07fc9cfd7a5e57",
26 "cmsLocaleId": "653ad57de882f528b32e810e",
27 "enabled": false,
28 "displayName": "English (United States)",
29 "displayImageId": null,
30 "redirect": true,
31 "subdirectory": "",
32 "tag": "en-US"
33 },
34 "secondary": [
35 {
36 "id": "653fd9af6a07fc9cfd7a5e56",
37 "cmsLocaleId": "653fd9af6a07fc9cfd7a5e5d",
38 "enabled": true,
39 "displayName": "French (France)",
40 "displayImageId": null,
41 "subdirectory": "fr-fr",
42 "tag": "fr-FR"
43 },
44 {
45 "id": "654112a3a525b2739d97664c",
46 "cmsLocaleId": "654112a3a525b2739d97664f",
47 "enabled": true,
48 "displayName": "Spanish (Mexico)",
49 "displayImageId": null,
50 "subdirectory": "es-mx",
51 "tag": "es-MX"
52 }
53 ]
54 }
55 }
56}

Best Practices

  • Mint tokens for each use case: Instead of reusing tokens, generate a new token for each specific use case to maintain better security and control.
  • Rotate tokens periodically: Regularly update and revoke old tokens to maintain security.
  • Be Descriptive: Name your tokens something descriptive and meaningful to easily identify their purpose.
  • Minimal Scopes: Generate tokens with the minimal scopes needed for your use case. Mint a new one if you need to add new scopes. This limits the potential impact if a token is compromised.

Revoking a site token

Revoking a site token is an additional security measure for your Webflow site. This process disables the token, preventing any further access or use. You should consider revoking a site token in the following situations:

  • Security Concerns: If there’s a potential security issue, revoke the token immediately.
  • Administrator Changes: If an administrator leaves or their role changes, revoke their token to maintain security.
  • Token Management: Regularly review and revoke tokens that are no longer needed.

To create a site token:

  1. Go to Site settings > Apps & integrations > API access.
  2. Find your API Key
  3. Select the “revoke” button


Troubleshooting and FAQs