OAuth
OAuth2 is a defined authorization spec that we utilize to enabled 3rd party applications to integrate with Webflow. Before interacting with the API, developers should register their applications where a client_id and client_secret will be generated.
Webflow supports the defined authorization code grant so applications built to integrate with Webflow should implement the flow as defined below whereby first retrieving an authorization code (after a user approves the request) which then will be exchanged for an access token to be used on all subsequent requests.
User authorization
Direct a user to the authorization URL with the correct parameters specified. When they accept or deny the authorization request, the user will be redirected back to the redirect_url provided during OAuth Application setup.
Request
GET https://webflow.com/oauth/authorize
| PARAMETER | DESCRIPTION |
|---|---|
client_id |
Unique ID for your application. Can be found in the dashboard |
response_type |
Always should be ‘code’ |
state |
A token value provided by your application for CSRF protection |
The final URL should look like this, but substituted with your own client_id and optional state parameters: https://webflow.com/oauth/authorize/?client_id=8151ef1a5613fe2340e62395008595d23b31e15edfd0c5b1a49ad3560d5ca16b&response_type=code
You receive the response to the authorization request via the redirect URL you specify during application setup and can be updated in the dashboard
Response
| PARAMETER | DESCRIPTION |
|---|---|
code |
Authorization code used to retrieve an access_token for the user. Can only be used once. |
state |
Same as the original value if provided. |
Error Response
| PARAMETER | DESCRIPTION |
|---|---|
state |
Same as the original value if provided. |
error |
An error code specifying which error occured. |
error_description |
Human readable description of the error that occured. |
Request access token
curl https://api.webflow.com/oauth/access_token \
-d client_id="8151ef1a5613fe2340e62395008595d23b31e15edfd0c5b1a49ad3560d5ca16b" \
-d client_secret="94cd4c5ac02604185a4ce2bca3f46c14c60ed9c5df86f76b43089997d8febfcf" \
-d code="c64a5accd53542c485e97a90e287ac18f522ec828947696fb13feb5255e3c42f" \
-d grant_type="authorization_code" \
{
"token_type": "bearer",
"access_token": "79f75b59455167fdb72d3f777409d390a3a93c048539ec6ddc34327cb312627e"
}
- Once the
codehas been retrieved from the redirect url, to finalize the authorization, your application must request anaccess_token. - The
access_tokenrequest should be made as soon as possible after authorization as unconfirmed authorizations are only valid for 30 minutes.
Request
POST https://api.webflow.com/oauth/access_token
| PARAMETER | DESCRIPTION |
|---|---|
client_id |
Unique ID for your application. Can be found in the dashboard |
client_secret |
Private value unique to your application. Can be found in the dashboard |
code |
Authorization code used to retrieve an access_token for the user. Can only be used once. |
grant_type |
Always should be “authorization_code” |
Response
| PARAMETER | DESCRIPTION |
|---|---|
token_type |
Always will be “bearer” |
access_token |
Token to use when making API requests on behalf of a user |
Error Response
| PARAMETER | DESCRIPTION |
|---|---|
error |
An error code specifying which error occured. |
error_description |
Human readable description of the error that occured. |
API Keys
In addition to the authorization code grant, it also is possible to get access_tokens for personal applications.
If you are developing a private integration to Webflow and you are only interacting with your own account, there is a simplified process for getting an access_token without having to register and OAuth application and implement the full authorization code grant flow. You simply can generate an API key (equivalent to an access_token) from the Webflow dashboard.
API keys may be either generated on a per-site basis, or as a team-wide api key (by the owner of the team).
Keep in mind, API keys are effectivley the same as your Webflow password, so be sure to treat them with the same level of care!
Site API Keys
To generate an API key for a site, open the site in the dashboard and navigate to the “Settings” pane. There is a section titled “API Access”, where you can generate a new API key.
Team API Keys
To generate an API key for a team, open the team in the dashboard and navigate to the “Settings” pane. There is a section titled “API Access”, where you can generate a new API key.
OAuth Applications
Register an application
Applications may be registered to either a user or to a team.
User
To register an application as a user, open the integrations tab of account settings and click the “Register New Application” button.
Teams
To register an application as a team, open the settings page for your team by clicking on it in the teams overview page. Then navigate to the integrations section and click the “Register New Application” button.
The following fields are required for registration:
| FIELDS | DESCRIPTION |
|---|---|
| Application Name | The name of the application that will appear when someone authorizes your application. |
| Application Description | A short description that will appear to users on the authorization request page. |
| Redirect URL | The URL we redirect users to after they approve / deny the authorization request. URL must begin with https and served with SSL. |
| Application Homepage | A link to the homepage of your application. |
Upon registration you should see the client_id and client_secret tokens for your application. You will need these in order to create authorizations for users with your application.
OAuth Errors
Errors returned in the querystring to the redirect URL setup for your application
Authorization Errors
| Error Code | Description |
|---|---|
invalid_request |
|
unsupported_response_type |
|
access_denied |
Errors returned by the API for the
POST /oauth/access_tokenendpoint
Access code errors
| Error Code | Description |
|---|---|
unsupported_grant_type |
grant_type should always be specified as the string: authorization_code |
invalid_client |
No OAuth application found matching the provided credentials |
invalid_grant |
Provided code was invalid |