Resources/The Agent API Atlas/E-commerce/Webflow

Everything an AI agent can do with the Webflow API.

A reference guide for building AI agents: every method, how to authenticate, and the permissions each one needs.

Endpoints30

API versionv2

Last updated23 June 2026

Orientation

How the Webflow API works.

The Webflow API is how an app or AI agent works with a Webflow site: reading and editing CMS collection items, publishing a site, managing store products and orders, and reading form submissions. Access is granted through an OAuth token or a site API token, and each request is checked against the scopes the token carries, like cms:read or ecommerce:write, which set what it can read or change. Webflow can also push events to a registered endpoint, so an integration learns about a form submission or a publish without polling.

30Endpoints

9Capability groups

15Read

15Write

12Permissions

Authentication

Webflow authenticates a call with a bearer token. A Data Client app uses OAuth 2.0 to obtain an access token on a user's behalf, while a site API token is generated in a single site's settings for server-side use. Both carry scopes, and custom-code endpoints are reachable only by an OAuth Data Client app, not by a site token.

Permissions

Each endpoint requires a specific scope, granted as a read or write pair per area, like cms:read and cms:write, ecommerce:read and ecommerce:write, forms:read and forms:write, pages, assets, and sites. A token missing the scope a method needs is rejected, and the response names the missing scope.

Versioning

The Data API runs under a single major version, v2, in the path. Webflow versions breaking changes by date through its release notes, and from 15 September 2025 certain write requests must send a version so a future breaking change does not silently alter behavior.

Data model

A site holds CMS collections, pages, assets, and, on a store, products, SKUs, and orders. A CMS item exists in a staged (draft) state and a published (live) state, so an edit can be prepared and then published separately. A SKU is itself a CMS item, and inventory is tracked against it.

Connect & authenticate

Connection & authentication methods.

How an app or AI agent connects to Webflow determines what it can reach. There is a route for making calls, a route for receiving events, and a hosted server that exposes Webflow tools to agents, and each is governed by the token behind it and the scopes that token carries.

Ways to connect

REST API

The Data API takes JSON request bodies, returns JSON, and pages through lists with an offset and limit, at https://api.webflow.com/v2. A call authenticates with a bearer token, either an OAuth access token or a site API token, and the token's scopes decide what it can reach.

Best forConnecting an app or AI agent to a Webflow site.

Governed byThe token and the scopes it carries.

Docs ↗

Webhooks

Webflow POSTs a JSON payload to an HTTPS endpoint registered per site, one webhook per event trigger such as form_submission, site_publish, or collection_item_changed. The receiver verifies the request with the X-Webflow-Signature and X-Webflow-Timestamp headers against the app's client secret to confirm it came from Webflow.

Best forReceiving Webflow events at an app or AI agent.

Governed byThe signature on the request and the scope behind the trigger.

Docs ↗

MCP server

Webflow publishes a first-party hosted Model Context Protocol server at https://mcp.webflow.com/sse that exposes Webflow tools to AI agents and LLM clients, authenticated by OAuth. It covers Data API operations like CMS item create, read, update, and delete, asset management, page metadata, and site metadata, plus Designer API tools that need the companion app open in the Webflow Designer. The server is open source at github.com/webflow/mcp-server.

Best forConnecting an AI agent to Webflow through MCP.

Governed byThe OAuth grant and the scopes it carries.

Docs ↗

Authentication

OAuth 2.0 (Data Client app)

A Data Client app uses the OAuth 2.0 authorization-code flow to get an access token on behalf of a Webflow user, with the scopes the user consents to. This is the route for apps installed across many sites, and it is the only route that can reach custom-code endpoints.

TokenOAuth bearer access token

Best forApps that connect to sites they do not own, across many workspaces.

Docs ↗

Site API token

A site API token is generated in a single site's settings and grants server-side access scoped to that one site. It is quick to set up for an integration against a site the owner controls, but cannot call custom-code endpoints, which are limited to OAuth Data Client apps.

TokenSite bearer API token

Best forServer-side access to a single, owned site.

Docs ↗

Capability map

What an AI agent can do in Webflow.

The Webflow Data API is split into areas an agent can act on, like sites, CMS collections and their items, pages, store products, orders, forms, and assets. Each area has its own methods, and writes in some areas publish content live, change inventory, or refund a customer.

Sites

3 endpoints

Methods for listing sites, reading site details, and publishing a site.

Publishing a site pushes changes live to its public domains.

View endpoints →

CMS Collections

2 endpoints

Methods for listing collections and reading a collection's structure.

A write here changes a collection's structure on the site.

View endpoints →

CMS Items

6 endpoints

Methods for working with collection items, in their staged (draft) and live states.

A publish or live write makes content visible on the public site.

View endpoints →

Pages

3 endpoints

Methods for listing pages and reading or editing page content.

A write here changes the content of a published page.

View endpoints →

Products & SKUs

4 endpoints

Methods for working with store products and their SKUs.

A write here changes a store's catalog and pricing.

View endpoints →

Orders & Inventory

5 endpoints

Methods for reading orders, fulfilling them, refunding them, and adjusting inventory.

A write here fulfills, refunds, or changes stock on real orders.

View endpoints →

Forms

3 endpoints

Methods for listing forms and reading or editing form submissions.

A write here edits or deletes a captured form submission.

View endpoints →

Assets

2 endpoints

Methods for listing assets and uploading new ones to a site.

A write here uploads a file into the site's asset library.

View endpoints →

Webhooks

2 endpoints

Methods for registering and managing the endpoints Webflow notifies.

A write here changes where Webflow sends a site's events.

View endpoints →

Endpoint reference

Every Webflow API method.

Filter by method, access, or permission, or search any path. Select a row for version detail, rate limits, the related webhook event, and the source.

Hide deprecated

Method	Endpoint	What it does	Access	Permission	Version
Sites Methods for listing sites, reading site details, and publishing a site.3
GET	`/v2/sites`	List all sites the authenticated token can access.	read	`sites:read`	Current
Read-only. Acts onsite Permission (capability)`sites:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/sites/{site_id}`	Retrieve details of a single site.	read	`sites:read`	Current
Read-only. Acts onsite Permission (capability)`sites:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/publish`	Publish a site to its domains, optionally to specific custom domains.	write	`sites:write`	Current
Pushes the current site content live; fires site_publish. Acts onsite Permission (capability)`sites:write` VersionAvailable since the API’s base version Webhook event`site_publish` Rate limitStandard limits apply SourceOfficial documentation ↗
CMS Collections Methods for listing collections and reading a collection's structure.2
GET	`/v2/sites/{site_id}/collections`	List all CMS collections on a site.	read	`cms:read`	Current
Read-only. Acts oncollection Permission (capability)`cms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/collections/{collection_id}`	Retrieve a collection's full schema, including its fields.	read	`cms:read`	Current
Read-only. Acts oncollection Permission (capability)`cms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
CMS Items Methods for working with collection items, in their staged (draft) and live states.6
GET	`/v2/collections/{collection_id}/items`	List all items in a collection, in their staged (draft) state.	read	`cms:read`	Current
Read-only; returns draft state. Acts oncollection_item Permission (capability)`cms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/collections/{collection_id}/items`	Create one or more collection items as drafts, up to 100 per request.	write	`cms:write`	Current
Creates staged items; they are not live until published. Acts oncollection_item Permission (capability)`cms:write` VersionAvailable since the API’s base version Webhook event`collection_item_created` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/collections/{collection_id}/items`	Update one or more collection items, up to 100 per request.	write	`cms:write`	Current
Edits staged items; publish separately to push live. Acts oncollection_item Permission (capability)`cms:write` VersionAvailable since the API’s base version Webhook event`collection_item_changed` Rate limitStandard limits apply SourceOfficial documentation ↗
DELETE	`/v2/collections/{collection_id}/items`	Delete one or more collection items, up to 100 per request.	write	`cms:write`	Current
Removes staged items; fires collection_item_deleted. Acts oncollection_item Permission (capability)`cms:write` VersionAvailable since the API’s base version Webhook event`collection_item_deleted` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/collections/{collection_id}/items/publish`	Publish staged collection items so they appear on the live site.	write	`cms:write`	Current
Makes draft items visible publicly; fires collection_item_published. Acts oncollection_item Permission (capability)`cms:write` VersionAvailable since the API’s base version Webhook event`collection_item_published` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/collections/{collection_id}/items/live`	Create one or more collection items and publish them live in a single call.	write	`cms:write`	Current
Skips the draft step; content is live immediately. Acts oncollection_item Permission (capability)`cms:write` VersionAvailable since the API’s base version Webhook event`collection_item_published` Rate limitStandard limits apply SourceOfficial documentation ↗
Pages Methods for listing pages and reading or editing page content.3
GET	`/v2/sites/{site_id}/pages`	List all static pages on a site.	read	`pages:read`	Current
Read-only. Acts onpage Permission (capability)`pages:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/pages/{page_id}/dom`	Retrieve the static content (the DOM) of a page.	read	`pages:read`	Current
Read-only. Acts onpage Permission (capability)`pages:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/pages/{page_id}/dom`	Update the static text content of a page's DOM nodes.	write	`pages:write`	Current
Edits page copy in place; changes apply on next publish. Acts onpage Permission (capability)`pages:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Products & SKUs Methods for working with store products and their SKUs.4
GET	`/v2/sites/{site_id}/products`	List all products on a store, with their SKUs.	read	`ecommerce:read`	Current
Read-only. Acts onproduct Permission (capability)`ecommerce:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/sites/{site_id}/products/{product_id}`	Retrieve a single product and its SKUs.	read	`ecommerce:read`	Current
Read-only. Acts onproduct Permission (capability)`ecommerce:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/products`	Create a product together with a default SKU.	write	`ecommerce:write`	Current
A product must be created with at least one SKU. Acts onproduct Permission (capability)`ecommerce:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/products/{product_id}/skus`	Create one or more additional SKUs on an existing product.	write	`ecommerce:write`	Current
A SKU is stored as a CMS item under the product. Acts onsku Permission (capability)`ecommerce:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Orders & Inventory Methods for reading orders, fulfilling them, refunding them, and adjusting inventory.5
GET	`/v2/sites/{site_id}/orders`	List a store's orders.	read	`ecommerce:read`	Current
Read-only. Acts onorder Permission (capability)`ecommerce:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/sites/{site_id}/orders/{order_id}`	Retrieve a single order.	read	`ecommerce:read`	Current
Read-only. Acts onorder Permission (capability)`ecommerce:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/orders/{order_id}/fulfill`	Mark an order as fulfilled, optionally notifying the customer.	write	`ecommerce:write`	Current
Changes the order status to fulfilled. Acts onorder Permission (capability)`ecommerce:write` VersionAvailable since the API’s base version Webhook event`ecomm_order_changed` Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/orders/{order_id}/refund`	Refund an order through the connected payment provider.	write	`ecommerce:write`	Current
Moves real money back to the customer; not reversible. Acts onorder Permission (capability)`ecommerce:write` VersionAvailable since the API’s base version Webhook event`ecomm_order_changed` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/collections/{sku_collection_id}/items/{sku_id}/inventory`	Update the tracked inventory quantity for a SKU.	write	`ecommerce:write`	Current
Sets or increments stock; fires ecomm_inventory_changed. Acts oninventory Permission (capability)`ecommerce:write` VersionAvailable since the API’s base version Webhook event`ecomm_inventory_changed` Rate limitStandard limits apply SourceOfficial documentation ↗
Forms Methods for listing forms and reading or editing form submissions.3
GET	`/v2/sites/{site_id}/forms`	List all forms on a site and their schemas.	read	`forms:read`	Current
Read-only. Acts onform Permission (capability)`forms:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
GET	`/v2/sites/{site_id}/forms/{form_id}/submissions`	List the submissions captured by a form.	read	`forms:read`	Current
Read-only; submissions contain whatever the form collected. Acts onform_submission Permission (capability)`forms:read` VersionAvailable since the API’s base version Webhook event`form_submission` Rate limitStandard limits apply SourceOfficial documentation ↗
PATCH	`/v2/sites/{site_id}/form_submissions/{form_submission_id}`	Update the stored data on a single form submission.	write	`forms:write`	Current
Edits a captured submission in place. Acts onform_submission Permission (capability)`forms:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Assets Methods for listing assets and uploading new ones to a site.2
GET	`/v2/sites/{site_id}/assets`	List the assets in a site's library.	read	`assets:read`	Current
Read-only. Acts onasset Permission (capability)`assets:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/assets`	Upload a new asset to a site, returning a presigned upload target.	write	`assets:write`	Current
Registers the asset, then the file is uploaded to the returned target. Acts onasset Permission (capability)`assets:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
Webhooks Methods for registering and managing the endpoints Webflow notifies.2
GET	`/v2/sites/{site_id}/webhooks`	List the webhooks registered on a site.	read	`sites:read`	Current
Read-only. Acts onwebhook Permission (capability)`sites:read` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗
POST	`/v2/sites/{site_id}/webhooks`	Register a webhook to receive a chosen event for a site.	write	`sites:write`	Current
The scope needed depends on the trigger_type chosen. Acts onwebhook Permission (capability)`sites:write` VersionAvailable since the API’s base version Webhook eventNone Rate limitStandard limits apply SourceOfficial documentation ↗

No endpoints match those filters.

Webhooks

Webhook events.

Webflow can notify an app when something happens on a site, like a form being submitted, a site being published, or a CMS item changing. It POSTs a payload describing the event to a registered endpoint, so an integration learns about activity without polling.

Event	What it signals	Triggered by
`form_submission`	A visitor submitted a form on the site. The payload includes the submitted field data.	`/v2/sites/{site_id}/forms/{form_id}/submissions`
`site_publish`	A site was published to one or more of its domains.	`/v2/sites/{site_id}/publish`
`collection_item_created`	A new CMS collection item was created.	`/v2/collections/{collection_id}/items`
`collection_item_changed`	An existing CMS collection item was updated.	`/v2/collections/{collection_id}/items`
`collection_item_deleted`	A CMS collection item was deleted.	`/v2/collections/{collection_id}/items`
`collection_item_published`	A CMS collection item was published to the live site.	`/v2/collections/{collection_id}/items/publish` `/v2/collections/{collection_id}/items/live`
`ecomm_new_order`	A new ecommerce order was placed on the store.	`/v2/sites/{site_id}/orders`
`ecomm_order_changed`	An ecommerce order changed, like being fulfilled or refunded.	`/v2/sites/{site_id}/orders/{order_id}/fulfill` `/v2/sites/{site_id}/orders/{order_id}/refund`
`ecomm_inventory_changed`	The tracked inventory for a SKU changed.	`/v2/collections/{sku_collection_id}/items/{sku_id}/inventory`

No events match that search.

Rate limits & pagination

Rate limits, pagination & request size.

Webflow limits how fast an app can call, by a per-minute request rate that depends on the site's plan, and returns headers on every response so an integration can track what it has left.

Request rate

Webflow meters requests by a per-minute rate tied to the site's plan, tracked separately for each API key. Starter and Basic sites allow 60 requests per minute, while CMS, Ecommerce, and Business sites allow 120 per minute; Enterprise limits are set on request. Going over returns HTTP 429 with a Retry-After header naming how long to wait, typically 60 seconds. Every response also carries X-RateLimit-Limit and X-RateLimit-Remaining so an integration can track its remaining budget, and Webflow recommends webhooks over polling to stay within the limit.

Pagination

List endpoints page with offset and limit query parameters: limit sets the page size and offset sets where the page starts, and the response includes a pagination object with the total count so a caller knows how many pages remain. CMS item lists default to a page size of 100.

Request size

Bulk CMS item endpoints accept up to 100 items per create, update, or delete request. A list page returns at most 100 items. Asset uploads are size-limited by the site's plan.

Errors

Status codes & error handling.

The status codes an agent should handle, and what to do about each.

Status	Code	Meaning	What to do
400	`bad_request`	The request was malformed, like a missing required field or an invalid value.	Read the message and details array, fix the request body, and resend.
401	`not_authorized`	The request lacks valid authentication credentials, like a missing or expired token.	Send a valid bearer token, and refresh an expired OAuth access token.
403	`forbidden`	The token is valid but lacks the scope or permission the request needs. The body names the missing scopes.	Grant the scope the endpoint requires, then re-authorize the token.
404	`resource_not_found`	The requested resource does not exist or is not visible to this token.	Verify the site, collection, item, or order ID and the token's access.
409	`conflict`	The request conflicts with the current state of the resource, like a duplicate or a concurrent change.	Re-read the resource, resolve the conflict, and retry.
429	`too_many_requests`	The per-minute rate limit was exceeded.	Wait for the time in the Retry-After header, then retry with backoff.
500	`internal_error`	An unexpected error occurred on Webflow's side.	Retry with backoff, and contact Webflow support if it persists.

Versioning & freshness

Version history.

Webflow runs a single major version of the Data API, and ships dated changes through release notes, including breaking changes that require pinning a version on write requests.

Version history

What changed, and when

Latest versionv2

v2Current version

Data API v2 (current major version)

The Data API runs under a single major version, v2, in every path. Webflow does not mint a new version string for additive features; it ships dated changes through its release notes and versions breaking changes by date. Newer additive updates get a history entry without changing the v2 path.

What changed

Analyze API reached general availability with traffic, top pages, top dimensions, top events, and time-on-page reports (16 June 2026).
Bulk CMS item authoring, editing, and deleting supports up to 100 items per request.
Webhooks cover form submission, site publish, CMS item lifecycle, and ecommerce order and inventory events.

2026-06-16Feature update

Analyze API general availability

The Analyze API moved to general availability, letting an app read a site's analytics through five reports, filterable by dimensions like country, device, or traffic source.

What changed

Reports: traffic, top pages, top dimensions, top events, time on page.
Each report reads under the sites:read scope.

2026-01-29Requires migration

User Accounts APIs removed

Webflow disabled User Accounts on all sites and removed the related APIs and webhooks. Integrations that managed site memberships through the API lost those endpoints.

What changed

Removed list, get, update, delete, and invite users endpoints.
Removed the access-groups endpoint.
Removed the associated user webhooks.

2024-10-01Feature update

Bulk CMS item endpoints

Webflow added bulk authoring, editing, and deleting of CMS items, supporting up to 100 items per request, to ease rate-limit pressure and manage large content sets more efficiently.

What changed

Create, update, and delete up to 100 collection items per request.

Pin a version on writes and move up on a schedule that suits the integration.

Webflow API changelog ↗

Questions

Webflow API, answered.

What is the difference between an OAuth token and a site API token?+

An OAuth access token comes from a Data Client app that a user installs, and it can reach sites the app does not own, across many workspaces. A site API token is generated in one site's settings and is scoped to that single site. Both are bearer tokens carrying scopes, but only an OAuth Data Client app can call custom-code endpoints.

What is the difference between a staged item and a live item?+

A CMS item has a staged (draft) state and a published (live) state. Editing through the staged item endpoints changes the draft without touching the public site, then a publish call pushes it live. The live item endpoints, like create live, write and publish in one step. This lets an integration prepare content and publish it on its own schedule.

How do I verify a webhook really came from Webflow?+

Each webhook request carries an X-Webflow-Signature header and an X-Webflow-Timestamp header. The receiver computes an HMAC over the timestamp and the raw request body using the app's client secret and compares it to the signature, rejecting a mismatch. The timestamp also lets the receiver reject stale requests to prevent replay.

Why am I getting a missing-scopes or 403 error?+

A 403 forbidden means the token is valid but does not carry the scope the endpoint requires. Each method needs a specific scope, like cms:write to edit items or ecommerce:write to refund an order. The error body names the missing scopes. Add the scope to the app or token and re-authorize, then retry.

Do write requests need a version?+

From 15 September 2025, certain write endpoints require a version on the request, so a future breaking change does not silently alter how a write behaves. Sending the version pins the behavior, and Webflow flags in its release notes which endpoints require it. Read requests are unaffected.

Does Webflow still have a Users (memberships) API?+

No. As of 29 January 2026, Webflow disabled User Accounts on all sites and removed the related APIs, including list, get, update, delete, and invite users, and the access-groups endpoint. Integrations that managed site memberships through the API no longer have those endpoints available.

How does a SKU relate to the CMS?+

On a Webflow store, a SKU is stored as a CMS item in a special SKU collection, and inventory is tracked against that item. That is why inventory updates target a SKU through a collection and item path, and why product and SKU writes use the ecommerce scope rather than the plain CMS scope.

What is Bollard AI?

Control what every AI agent can do in Webflow.

Bollard AI sits between a team's AI agents and Webflow. Grant each agent exactly the access it needs, read or write, area by area, and every call is checked and logged.

Set read, write, or full access per agent, never a shared Webflow token.
Denied by default, so an agent reaches only what has been explicitly allowed.
Every call recorded in plain English: who, what, where, and the decision.

Control Webflow access in Bollard Browse all APIs →

Webflow

Content Agent

Read CMS items ResourceOffReadFull use

Publish items live ActionOffReadFull use

Refund orders ActionOffReadFull use

Assets ResourceOffReadFull use

Per-agent access, set in Bollard AI, not in Webflow

How the Webflow API works.

Connection & authentication methods.

REST API

Webhooks

MCP server

OAuth 2.0 (Data Client app)

Site API token

What an AI agent can do in Webflow.

Sites

CMS Collections

CMS Items

Pages

Products & SKUs

Orders & Inventory

Forms

Assets

Webhooks

Every Webflow API method.

Sites

CMS Collections

CMS Items

Pages

Products & SKUs

Orders & Inventory

Forms

Assets

Webhooks

Webhook events.

Rate limits, pagination & request size.

Request rate

Pagination

Request size

Status codes & error handling.

Version history.

What changed, and when

Webflow API, answered.

More e-commerce API guides for agents

BigCommerce

Gumroad

EasyPost

Lemon Squeezy

WooCommerce

Magento

Control what every AI agent can do in Webflow.