A site token is a unique identifier that provides access to site-specific information via the Webflow Data API.
When making a request, you'll need to authenticate your request with an access token. Similar to a password, a site token (also known as an “API key” or “access token”) identifies the entity making a request to an API, as well as actions that entity can perform through its scopes and permissions.
Creating a site token
Note: Only site administrators are authorized to create a site token. If you're not a site administrator, please contact one to create the token for you.
-
Go to Site settings > Apps & integrations > API access.
-
Click Generate token.
-
Enter a name for your API token.
-
Choose the permissions you want the API token to have for each of Webflow’s APIs
(i.e., no access, read-only, or read and write).
-
Click Generate token.
-
Copy the generated token to your clipboard.
Limitations
- API tokens expire after 365 consecutive days of inactivity. Any API call made with the token before expiry will reset the inactivity period.
- Site tokens are created per site. If you’re looking to build an integration that works across multiple sites, consider creating a Webflow App.
- Each site can have up to 5 tokens. This limit ensures manageable token access and security.
- Site tokens do not grant access to the following endpoints:
- Authorization endpoints
- Custom code endpoints
Using a site token
Now that you have your site token, you can start making requests to the Webflow Data APIs.
Making a Request with CURL
The simplest way to make a request is by using cURL
Example
curl --request GET \
--url https://api.webflow.com/v2/sites \
--header 'accept: application/json' \
--header 'authorization: Bearer YOUR_API_TOKEN'
This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.
Making a Request with JavaScript
If you prefer working with JavaScript, you can use our JavaScript SDK. The SDK simplifies interacting with the Webflow API and handling requests.
First, install the Webflow SDK using npm:
npm install webflow-api
Example
import { WebflowClient } from 'webflow-api';
const token = 'YOUR_API_TOKEN';
const webflow = new WebflowClient({ accessToken: token });
(async () => {
try {
const sites = await webflow.sites.list();
console.log(sites);
} catch (error) {
console.error('Error fetching sites:', error);
}
})();
This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.
Making a Request with Python
To make requests to the Webflow API using Python, you'll need to install the webflow package and use it to interact with the API.
First, install the webflow package using pip:
pip install webflow
Example
from webflow.client import Webflow
# Initialize the Webflow client with your access token
client = Webflow(access_token="YOUR_ACCESS_TOKEN")
# Fetch the list of sites
sites = client.sites.list()
# Print the list of sites
print(sites)
This command retrieves a list of sites associated with your Webflow account. Replace YOUR_API_TOKEN with the site token you generated.
Example API Response
Here's an example of what a response from the Webflow API might look like:
{"id": "42e98c9a982ac9b8b742","workspaceId": "42e63e98c9a982ac9b8b742","displayName": "The Hitchhiker's Guide to the Galaxy","shortName": "hitchhikers-guide","previewUrl": "https://screenshots.webflow.com/sites/6258612d1ee792848f805dcf/20231219211811_d5990556c743f33b7071300a03bf67e6.png","timeZone": "Magrathea/FactoryFloor","createdOn": "1979-10-12T12:00:00.000Z","lastUpdated": "2023-04-02T12:42:00.000Z","lastPublished": "2023-04-02T12:42:00.000Z","parentFolderId": "1as2d3f4g5h6j7k8l9z0x1c2v3b4n5m6","customDomains": [{"id": "589a331aa51e760df7ccb89d","url": "hitchhikersguide.galaxy"},{"id": "589a331aa51e760df7ccb89e","url": "heartofgold.spaceship"}],"locales": {"value": {"primary": {"id": "653fd9af6a07fc9cfd7a5e57","cmsLocaleId": "653ad57de882f528b32e810e","enabled": false,"displayName": "English (United States)","displayImageId": null,"redirect": true,"subdirectory": "","tag": "en-US"},"secondary": [{"id": "653fd9af6a07fc9cfd7a5e56","cmsLocaleId": "653fd9af6a07fc9cfd7a5e5d","enabled": true,"displayName": "French (France)","displayImageId": null,"subdirectory": "fr-fr","tag": "fr-FR"},{"id": "654112a3a525b2739d97664c","cmsLocaleId": "654112a3a525b2739d97664f","enabled": true,"displayName": "Spanish (Mexico)","displayImageId": null,"subdirectory": "es-mx","tag": "es-MX"}]}}}
Best Practices
- Mint tokens for each use case: Instead of reusing tokens, generate a new token for each specific use case to maintain better security and control.
- Rotate tokens periodically: Regularly update and revoke old tokens to maintain security.
- Be Descriptive: Name your tokens something descriptive and meaningful to easily identify their purpose.
- Minimal Scopes: Generate tokens with the minimal scopes needed for your use case. Mint a new one if you need to add new scopes. This limits the potential impact if a token is compromised.
Revoking a site token
Revoking a site token is an additional security measure for your Webflow site. This process disables the token, preventing any further access or use. You should consider revoking a site token in the following situations:
- Security Concerns: If there's a potential security issue, revoke the token immediately.
- Administrator Changes: If an administrator leaves or their role changes, revoke their token to maintain security.
- Token Management: Regularly review and revoke tokens that are no longer needed.
To create a site token:
- Go to Site settings > Apps & integrations > API access.
- Find your API Key
- Select the "revoke" button
Troubleshooting and FAQs
Site tokens are valid until they are manually revoked or after 365 days of inactivity.
Yes, you can generate a new token at any time from the API access section in your site settings.
You will need to generate a new one and update any integrations using the old token.