Skip to content

Webflow API Token

Service Name: Webflow

Service Description: Webflow is a visual web design platform that allows users to design, build, and launch responsive websites visually, without coding. It provides a CMS, e-commerce capabilities, and hosting services.

Service Address: https://webflow.com/

Validation Type: API Auth

IP Allow list: Does not exist at the token level, but Webflow offers site password protection and custom domain security settings.

Secret Access Scope: Grants programmatic access to Webflow sites, allowing management of sites, pages, collections, items, and e-commerce functionality depending on the token's scope.

Secret Revokement URL: https://webflow.com/dashboard/account/integrations

Secret Example: d47f7c9c1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f1e1f

Suspicious Activity Investigation Instructions:

  • Review the Webflow site activity logs for unusual changes or content modifications.
  • Check for unauthorized site publications or deployments.
  • Monitor for unexpected changes to collections, CMS items, or e-commerce settings.
  • Review API usage logs for unusual patterns or high-volume requests.
  • Check for new team members or collaborators that were not authorized.

Mitigation Instructions:

  • Log in to your Webflow account at https://webflow.com/dashboard.
  • Navigate to Account Settings > Integrations.
  • Locate the compromised API token.
  • Click "Revoke" next to the token to immediately invalidate it.
  • Generate a new API token with appropriate scopes if needed.
  • Review site permissions and remove any unauthorized collaborators.
  • Enable two-factor authentication for your Webflow account if not already enabled.
  • Consider implementing site password protection for additional security.