â–Ľ
Streaming live at 10am (PST)

Webflow API CORS problem


#1

Hi guys.

Need help with Webflow API :slight_smile:

We have collections in Webflow CMS and I'm trying to get them using Webflow API.
I installed webflow js api in project:
npm install --save webflow-api

And trying to use it as descibed in guide:
const api = new Webflow({ token: 'api-token' });
api.site({ siteId: 'some-id' }).then(site => console.log(site));
api-token and siteId are real in code :slight_smile:

The problem is i can't get this info because of CORS, i always get error in console that i have an origin problem.
I can avoid this error by proxy, but it's not very good solution.
Is there a way to add my server address to "trusted servers" or any other way to avoid use of proxy?

Example screenshot


#2

This unfortunately is the only secure way to use authenticated APIs in the browser.

3rd party API usage in the browser via CORS only works for non-authenticated endpoints, otherwise anyone visiting your site would have access to your private key (which should be treated as though it were your account password.)


#3

I thought that there is a possibility to configure trusted domain in webflow account or another authentication way for example by credentials :slight_smile: Or to use webflow hosting.

For now i know for sure that there is no possibility to configure trusted domain :slight_smile:


#4

To clarify, it's not a matter of "trusted domain" - even if our API sent back CORS headers, you still would have to publically expose your private API key to use the API in the browser. This would be pretty much like putting your webflow username and password in the source of your website.


#5

@nathan Ideally we shouldn’t be exposing any private API keys at all. Isn’t that why they have client credentials that can be used on the client and revoked whenever needed. Ideally…


#6

Not to mention, keys that only work on whitelisted domains…


#7

Exactly, what is my API token doing? Am I generating a token that’s secret…? That doesn’t sound right. Ideally we’re generating a public token that we can use like any of the other billion APIs on the planet…