Webflow connector — required scopes
What each Webflow API scope unlocks during a migration to Insites, and which scopes to skip.
Webflow's API tokens are scoped per resource. The Insites migration only reads — Studio never writes back to Webflow. This page lists every scope Studio asks for and what would be silently lost from your migration if it isn't granted, so you can decide what to tick.
Generate the token
Open the specific site
Sign in to Webflow and open the specific site you want to migrate. Workspace-level tokens don't expose the granular scopes we need — generate at the site level.
Open the API access settings
Go to Site settings → Apps & Integrations → API access.
Generate the token
Click Generate API Token. Name it
Insites Studio.Set the permissions
Set the permissions in the next two tables to Read-only. Leave anything not listed as No access.
Copy and paste
Generate, copy, and paste the token into the connector form.
Required (always tick these)
The connector cannot complete without these. The connection test will fail explicitly if any are missing.
| Scope | Module | Why we need it |
|---|---|---|
| Sites (Read-only) | — | Resolves which Webflow site we're migrating. Without this scope every other request 403s. |
| Pages (Read-only) | CMS | Page metadata, slugs, and SEO settings so URLs and meta tags carry across to Insites cleanly. |
| CMS (Read-only) | Data | Collections and items become Data module records. This is where blog posts, team pages, project listings, and most dynamic content live. |
| Assets (Read-only) | Assets | Every image, document, and uploaded file. Pulled through the asset pipeline so URLs are rewritten on the new site. |
| Authorized user (Read-only) | — | Identity check so the connection test can confirm whose token this is. |
Recommended (tick unless you know the site doesn't use it)
The connector silently skips these blocks if the scope isn't granted, so a content-only site still works. But anything missing here is data that your migrated site will be missing too — usually with no obvious sign until much later.
| Scope | Module | Why we need it |
|---|---|---|
| Ecommerce (Read-only) | Ecommerce | Products with variants and full order history. Skip only if the site has no shop. Without it, the migrated site loses every product and every past order. |
| Forms (Read-only) | Forms | Form definitions plus historical submissions. Critical for sites that take leads or enquiries — without it, lead history is gone. |
| User Accounts (Read-only) | CRM | Webflow Memberships users become CRM contacts. Skip only if the site has no logged-in user feature. |
| Custom Code (Read-only) | CMS layout | Site-wide head and foot scripts — analytics tags, GTM, Hotjar, chat widgets, third-party trackers. Without this scope the migrated site silently loses every analytics and marketing tag, which is hard to spot until weeks of data are missing. |
| Components (Read-only) | CMS partials | Webflow Designer components (reusable design blocks). Lets us recreate the design system as Insites partials rather than flattening every page to one-off HTML. |
| Site config (Read-only) | Site config | Redirects, locales, custom domains. Without it, URL redirects from the old site are dropped and SEO equity moves with them. |
Skip these
These scopes don't unlock anything useful for a migration. Leaving them as No access keeps the token's blast radius small if it's ever leaked.
| Scope | Why we skip |
|---|---|
| Comments | Webflow Designer comments — internal team annotations, not anything that renders on the live site. |
| Branches | Designer branching state. Not data the live site needs. |
| App Subscriptions | Webflow billing metadata. Not site data. |
| Site activity | Designer activity log. Not site data. |
| Workspace | Workspace-level admin (billing, team). Not relevant to a single-site migration. |
Token storage (alpha)
Tokens are kept in your browser's localStorage so a refresh or shared link doesn't lose the migration session. They are sent to the Insites server only at the moment of a connection test or import run, and are never logged.
Before GA we'll switch to real OAuth (or a per-platform service-token exchange) so tokens never touch your browser at all. Until then, generate read-only tokens with the minimum scopes listed above and rotate them after the migration completes.