webflow-enterprise-rbac
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
Best use case
webflow-enterprise-rbac is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
Teams using webflow-enterprise-rbac should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/webflow-enterprise-rbac/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How webflow-enterprise-rbac Compares
| Feature / Agent | webflow-enterprise-rbac | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Configure Webflow enterprise access control — OAuth 2.0 app authorization, scope-based RBAC, per-site token isolation, workspace member management, and audit logging for compliance. Trigger with phrases like "webflow RBAC", "webflow enterprise", "webflow roles", "webflow permissions", "webflow OAuth scopes", "webflow access control", "webflow workspace members".
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Best AI Skills for Claude
Explore the best AI skills for Claude and Claude Code across coding, research, workflow automation, documentation, and agent operations.
ChatGPT vs Claude for Agent Skills
Compare ChatGPT and Claude for AI agent skills across coding, writing, research, and reusable workflow execution.
SKILL.md Source
# Webflow Enterprise RBAC
## Overview
Enterprise-grade access control for Webflow Data API v2 integrations. Uses Webflow's
OAuth 2.0 scope system, per-site token isolation, and application-level RBAC to
enforce least privilege across teams and environments.
## Prerequisites
- Webflow workspace (Core plan or higher for multiple members)
- OAuth 2.0 Data Client App (for user-authorized access)
- Understanding of Webflow scopes
## Webflow's Native Access Model
Webflow provides three levels of access control:
| Level | Mechanism | Granularity |
|-------|-----------|-------------|
| **Workspace tokens** | API token | All sites in workspace |
| **Site tokens** | API token | Single site |
| **OAuth tokens** | OAuth 2.0 authorization | User-authorized scopes per site |
## Scope-Based Permission Model
Webflow scopes map directly to API access:
| Scope | Read Access | Write Access |
|-------|-------------|--------------|
| `sites:read` | List/get sites | — |
| `sites:write` | — | Publish sites |
| `cms:read` | List collections, read items | — |
| `cms:write` | — | Create/update/delete CMS items |
| `pages:read` | List/get pages | — |
| `pages:write` | — | Update page settings |
| `forms:read` | List forms, read submissions | — |
| `ecommerce:read` | List products, orders, inventory | — |
| `ecommerce:write` | — | Create products, fulfill orders |
| `custom_code:read` | List registered scripts | — |
| `custom_code:write` | — | Register/apply custom code |
## Instructions
### Step 1: Define Application Roles
Map your application roles to Webflow scope sets:
```typescript
enum AppRole {
ContentViewer = "content_viewer",
ContentEditor = "content_editor",
SiteAdmin = "site_admin",
EcommerceManager = "ecommerce_manager",
FormProcessor = "form_processor",
}
// Map roles to required Webflow OAuth scopes
const ROLE_SCOPES: Record<AppRole, string[]> = {
[AppRole.ContentViewer]: ["sites:read", "cms:read", "pages:read"],
[AppRole.ContentEditor]: ["sites:read", "cms:read", "cms:write", "pages:read"],
[AppRole.SiteAdmin]: [
"sites:read", "sites:write",
"cms:read", "cms:write",
"pages:read", "pages:write",
"custom_code:read", "custom_code:write",
],
[AppRole.EcommerceManager]: [
"sites:read",
"ecommerce:read", "ecommerce:write",
"cms:read", // Products are CMS collections
],
[AppRole.FormProcessor]: ["sites:read", "forms:read"],
};
```
### Step 2: OAuth App with Role-Based Scopes
Request only the scopes needed for the user's role:
```typescript
function getAuthorizationUrl(role: AppRole, state: string): string {
const scopes = ROLE_SCOPES[role];
const scopeString = scopes.join(" ");
return (
`https://webflow.com/oauth/authorize` +
`?client_id=${process.env.WEBFLOW_CLIENT_ID}` +
`&response_type=code` +
`&redirect_uri=${encodeURIComponent(process.env.REDIRECT_URI!)}` +
`&scope=${encodeURIComponent(scopeString)}` +
`&state=${state}` // CSRF protection
);
}
// Initiate OAuth flow with role-appropriate scopes
app.get("/auth/webflow", (req, res) => {
const role = req.user.appRole as AppRole;
const state = generateCsrfToken(req.session.id);
res.redirect(getAuthorizationUrl(role, state));
});
```
### Step 3: Token Storage with Role Metadata
```typescript
interface StoredToken {
accessToken: string;
userId: string;
role: AppRole;
scopes: string[];
siteIds: string[]; // Which sites this token can access
createdAt: Date;
lastUsed: Date;
}
async function storeToken(token: StoredToken): Promise<void> {
// Encrypt token before storing
const encrypted = encrypt(token.accessToken);
await db.webflowTokens.upsert({
where: { userId: token.userId },
create: {
...token,
accessToken: encrypted,
},
update: {
accessToken: encrypted,
lastUsed: new Date(),
},
});
}
```
### Step 4: Per-Site Token Isolation
Use site-scoped tokens to limit blast radius:
```typescript
class SiteIsolatedClient {
private clients = new Map<string, WebflowClient>();
// Each site gets its own token — compromise of one doesn't affect others
registerSite(siteId: string, siteToken: string): void {
this.clients.set(siteId, new WebflowClient({ accessToken: siteToken }));
}
getClient(siteId: string): WebflowClient {
const client = this.clients.get(siteId);
if (!client) {
throw new Error(`No token registered for site ${siteId}`);
}
return client;
}
// Rotate a single site's token without affecting others
rotateToken(siteId: string, newToken: string): void {
this.clients.set(siteId, new WebflowClient({ accessToken: newToken }));
console.log(`Token rotated for site ${siteId}`);
}
}
const siteClients = new SiteIsolatedClient();
siteClients.registerSite("site-prod", process.env.WEBFLOW_TOKEN_PROD!);
siteClients.registerSite("site-staging", process.env.WEBFLOW_TOKEN_STAGING!);
```
### Step 5: Permission Check Middleware
```typescript
import { Request, Response, NextFunction } from "express";
function requireWebflowScope(requiredScopes: string[]) {
return async (req: Request, res: Response, next: NextFunction) => {
const userToken = await db.webflowTokens.findByUserId(req.user.id);
if (!userToken) {
return res.status(401).json({ error: "No Webflow authorization" });
}
// Check if user's token has the required scopes
const missingScopes = requiredScopes.filter(
s => !userToken.scopes.includes(s)
);
if (missingScopes.length > 0) {
return res.status(403).json({
error: "Insufficient Webflow permissions",
missing: missingScopes,
userRole: userToken.role,
hint: `Role "${userToken.role}" does not include: ${missingScopes.join(", ")}`,
});
}
next();
};
}
// Usage
app.post(
"/api/cms/items",
requireWebflowScope(["cms:write"]),
createItemHandler
);
app.get(
"/api/forms/submissions",
requireWebflowScope(["forms:read"]),
listSubmissionsHandler
);
app.post(
"/api/site/publish",
requireWebflowScope(["sites:write"]),
publishSiteHandler
);
```
### Step 6: Audit Logging
```typescript
interface WebflowAuditEntry {
timestamp: Date;
userId: string;
role: AppRole;
operation: string;
siteId: string;
resourceType: string;
resourceId?: string;
result: "success" | "denied" | "error";
scopes: string[];
ipAddress: string;
}
async function auditWebflowAccess(entry: WebflowAuditEntry): Promise<void> {
// Write to audit log (never delete audit entries)
await db.auditLog.create({
data: {
...entry,
timestamp: entry.timestamp.toISOString(),
},
});
// Alert on suspicious patterns
if (entry.result === "denied") {
console.warn(`ACCESS DENIED: ${entry.userId} attempted ${entry.operation} on ${entry.resourceType}`);
}
// Alert on admin operations
if (entry.role === AppRole.SiteAdmin && entry.operation.includes("publish")) {
console.log(`ADMIN ACTION: ${entry.userId} published site ${entry.siteId}`);
}
}
// Wrap API calls with audit logging
async function auditedCall<T>(
entry: Omit<WebflowAuditEntry, "timestamp" | "result">,
operation: () => Promise<T>
): Promise<T> {
try {
const result = await operation();
await auditWebflowAccess({ ...entry, timestamp: new Date(), result: "success" });
return result;
} catch (error) {
await auditWebflowAccess({ ...entry, timestamp: new Date(), result: "error" });
throw error;
}
}
```
### Step 7: Token Rotation Schedule
```typescript
async function checkTokenAge(): Promise<void> {
const tokens = await db.webflowTokens.findMany();
for (const token of tokens) {
const ageInDays = (Date.now() - token.createdAt.getTime()) / (1000 * 60 * 60 * 24);
if (ageInDays > 90) {
console.warn(
`Token for user ${token.userId} (${token.role}) is ${Math.floor(ageInDays)} days old. ` +
`Rotation recommended.`
);
// Send notification to user/admin
}
}
}
// Run weekly
// cron: "0 9 * * 1"
```
## Output
- Role-to-scope mapping for Webflow OAuth
- OAuth authorization with role-appropriate scopes
- Per-site token isolation
- Permission check middleware for API endpoints
- Comprehensive audit logging
- Token age monitoring and rotation alerts
## Error Handling
| Issue | Cause | Solution |
|-------|-------|----------|
| OAuth scope mismatch | App requests more scopes than configured | Match app settings in Webflow dashboard |
| 403 on API call | Token missing required scope | Re-authorize with correct role |
| Token not found | User never completed OAuth flow | Redirect to authorization |
| Audit gap | Error in async logging | Add fallback logging to console |
## Resources
- [Webflow OAuth Reference](https://developers.webflow.com/data/reference/oauth-app)
- [Webflow Scopes](https://developers.webflow.com/data/reference/scopes)
- [Webflow Authentication](https://developers.webflow.com/data/reference/authentication)
## Next Steps
For major migrations, see `webflow-migration-deep-dive`.Related Skills
windsurf-enterprise-rbac
Configure Windsurf enterprise SSO, RBAC, and organization-level controls. Use when implementing SSO/SAML, configuring role-based seat management, or setting up organization-wide Windsurf policies. Trigger with phrases like "windsurf SSO", "windsurf RBAC", "windsurf enterprise", "windsurf admin", "windsurf SAML", "windsurf team management".
webflow-webhooks-events
Implement Webflow webhook registration, signature verification, and event handling for form_submission, site_publish, ecomm_new_order, page_created, and more. Use when setting up webhook endpoints, implementing event-driven workflows, or handling Webflow notifications. Trigger with phrases like "webflow webhook", "webflow events", "webflow webhook signature", "handle webflow events", "webflow notifications".
webflow-upgrade-migration
Analyze, plan, and execute Webflow SDK upgrades (webflow-api v1 to v3) with breaking change detection, API v1-to-v2 migration, and deprecation handling. Trigger with phrases like "upgrade webflow", "webflow migration", "webflow breaking changes", "update webflow SDK", "webflow v1 to v2".
webflow-security-basics
Apply Webflow API security best practices — token management, scope least privilege, OAuth 2.0 secret rotation, webhook signature verification, and audit logging. Use when securing API tokens, implementing least privilege access, or auditing Webflow security configuration. Trigger with phrases like "webflow security", "webflow secrets", "secure webflow", "webflow API key security", "webflow token rotation".
webflow-sdk-patterns
Apply production-ready Webflow SDK patterns — singleton client, typed error handling, pagination helpers, and raw response access for the webflow-api package. Use when implementing Webflow integrations, refactoring SDK usage, or establishing team coding standards. Trigger with phrases like "webflow SDK patterns", "webflow best practices", "webflow code patterns", "idiomatic webflow", "webflow typescript".
webflow-reference-architecture
Implement Webflow reference architecture — layered project structure, client wrapper, CMS sync service, webhook handlers, and caching layer for production integrations. Trigger with phrases like "webflow architecture", "webflow project structure", "how to organize webflow", "webflow integration design", "webflow best practices".
webflow-rate-limits
Handle Webflow Data API v2 rate limits — per-key limits, Retry-After headers, exponential backoff, request queuing, and bulk endpoint optimization. Use when hitting 429 errors, implementing retry logic, or optimizing API request throughput. Trigger with phrases like "webflow rate limit", "webflow throttling", "webflow 429", "webflow retry", "webflow backoff", "webflow too many requests".
webflow-prod-checklist
Execute Webflow production deployment checklist — token security, rate limit hardening, health checks, circuit breakers, gradual rollout, and rollback procedures. Use when deploying Webflow integrations to production or preparing for launch. Trigger with phrases like "webflow production", "deploy webflow", "webflow go-live", "webflow launch checklist", "webflow production ready".
webflow-performance-tuning
Optimize Webflow API performance with response caching, bulk endpoint batching, CDN-cached live item reads, pagination optimization, and connection pooling. Use when experiencing slow API responses or optimizing request throughput. Trigger with phrases like "webflow performance", "optimize webflow", "webflow latency", "webflow caching", "webflow slow", "webflow batch".
webflow-observability
Set up observability for Webflow integrations — Prometheus metrics for API calls, OpenTelemetry tracing, structured logging with pino, Grafana dashboards, and alerting for rate limits, errors, and latency. Trigger with phrases like "webflow monitoring", "webflow metrics", "webflow observability", "monitor webflow", "webflow alerts", "webflow tracing".
webflow-multi-env-setup
Configure Webflow across development, staging, and production environments with per-environment API tokens, site IDs, and secret management via Vault/AWS/GCP. Trigger with phrases like "webflow environments", "webflow staging", "webflow dev prod", "webflow environment setup", "webflow config by env".
webflow-migration-deep-dive
Execute major Webflow migrations — from other CMS platforms to Webflow CMS, between Webflow sites, or large-scale content re-architecture using the Data API v2 bulk endpoints, strangler fig pattern, and data validation. Trigger with phrases like "migrate to webflow", "webflow migration", "import into webflow", "webflow replatform", "move content to webflow", "webflow bulk import", "wordpress to webflow".