When using Webflow, how can you securely store and protect public and private API keys when making API calls with third-party services?

TL;DR
  • Never expose private API keys in Webflow’s front-end code.  
  • Use a secure backend or serverless function to handle API requests with private keys.  
  • Store keys as environment variables on your backend platform.  
  • Use public keys only when needed and restrict them with domain or usage limits.

When using Webflow to integrate third-party APIs, it's essential to understand that Webflow is a front-end platform, so exposing private API keys in the client-side code is insecure and should be avoided.

1. Understand the Client-Side Limitation

  • Webflow projects run entirely on the front end, meaning any API key stored or used via custom code in Webflow's Embed blocks or Page Settings will be exposed to the browser.
  • Never include private or secret keys (like Stripe secret keys, database tokens, etc.) directly in Webflow’s custom code areas, as users can access them through DevTools.

2. Use a Backend Proxy or Serverless Function

  • To securely call APIs with private keys, set up a backend proxy server or use a serverless function (e.g., using Cloudflare Workers, Netlify Functions, or AWS Lambda).
  • Your Webflow site sends a request to your secure backend, which then adds the secret key and makes the actual API call. Only public data reaches the browser.

3. Store API Keys Securely on the Backend

  • On your backend/serverless platform, store the private keys using environment variables or built-in secret management options.
  • For Netlify Functions: Store keys in Netlify Environment Variables.
  • For Vercel Serverless Functions: Use Environment Variables in the Vercel dashboard.

4. Use Public Keys Only in Webflow

  • If an API requires a public key (e.g., for initializing services like Stripe.js, Google Maps, or Firebase), it’s generally okay to use it in Webflow’s custom code as long as:
  • The key has restricted permissions.
  • Domain restrictions are applied where supported (e.g., only allow requests from your domain).

5. Secure Webhooks and API Endpoints

  • If you're using Webhooks to send data from Webflow to a backend, verify incoming requests using shared secrets or signed tokens.
  • Avoid exposing POST endpoints without authentication or rate limiting.

Summary

To securely use API keys in Webflow:

  • Never expose private keys in Webflow’s front-end code.
  • Use a secure backend or serverless function as a middleware to handle API requests requiring private keys.
  • Store keys as environment variables in your backend hosting platform.
  • Use public keys only when absolutely necessary, and restrict their usage via domain or quota limits.
Webflow Resources
Webflow templates
Webflow inspiration
Rate this answer

Other Webflow Questions

Explore Logic tutorials
What is the issue with the positioning menu in Webflow? Does it not appear when trying to layer div blocks over each other?
How can I make the Google reviews on my Webflow store locations dynamic by using the CMS template and place IDs sourced from the CMS item? How can I retrieve the location ID from the store CMS field and insert it into the script? Additionally, why am I only able to display 5 reviews? Are there other parameters or settings affecting this number?
What is the error message "Default not allow for this domain" in Webflow referring to?
How can I make the dropdown menu in my Webflow site 100VW without it stretching off the screen? I've tried changing it from absolute positioning, but it became misaligned. Is there a simpler solution?
How can you persist dark mode across multiple pages in Webflow?
Is it possible to have a custom form action to pass form data to a URL, while also submitting the form data from page 1 to Webflow using the default action?
Is there an alternative to using the embed widget in Webflow to set a custom attribute for the value of a form text field, since the attribute name "value" is reserved? Can Webflow remove the value attribute from the reserved list, as they have done with other attributes like maxLength?
How can I embed a clean, video with a play button on a website created in Webflow without displaying any extra graphics or suggestions from YouTube or Vimeo?
How can I pass the UTM parameters of a submitter in a hidden field using Webflow form and integrate it with Mailchimp? I've tried various solutions from different sources but have been unsuccessful so far. Any ideas on how to make it work?
How can I adjust the spacing of the arrow in Webflow so that it is not positioned too far from the corner of the field?
How can I import my HTML and CSS custom code into Webflow?
Why are the images in webp format not loading in Safari Version 15.0, even though webp is supposed to be supported by Webflow?
How can I get Vimeo videos to autoplay within a Rich Text element of a CMS item in Webflow? I've tried adding a Video element with the URL and also adding embedded code, but it's not working. Any suggestions? Thank you!
What are some alternative options to the Soundcloud embed widget for hosting audio tracks on a Webflow site with text and image commentary below?
How can I fix the issue where my custom cursor gets stuck at the edge of the div on my Webflow CMS project pages when hovering over Vimeo videos?
Can I capture a screenshot of a Webflow page on click and convert it to a downloadable PDF?
How can I alternate the layout of the image and heading for each collection item in a two-column format on Webflow?
How can I execute JavaScript code when clicking a specific button with a given ID in a Webflow project?
How can I disable the Webflow success or failure state for a sign-up form and display a custom thank you page using jQuery and the Webflow form submit state?
How can I create a vertical scrolling menu with Webflow, similar to the one on Apple's website, that switches to horizontal scrolling when the menu doesn't fit on one screen?
How can I change the language of the Google Maps embed from English to Arabic in Webflow?
How can I reduce the vertical space between lines within a bullet point in Webflow? Can I replace the bullet points with icons on the "Services" page?
How can the text color be changed for custom input fields on Webflow?
How can I add conditional visibility in Webflow to prevent a div from appearing on a published page if a CMS field is empty?
How can I stop a YouTube video from playing in the background in audio mode when I close a modal in Webflow?
How can I connect and use my JavaScript and CSS files for special functions and styles in Webflow?
How can I fix the "Ensure text remains visible during webfont load" warning in Webflow?
How can I implement a ThreeJS script as a background for my Webflow project using custom code?
How can I send data from a Webflow Form to ActiveCampaign without using Zapier? I have set the form to POST and input the form's action URL, similar to Mailchimp but it redirects me to the admin area of ActiveCampaign without sending the data. Has anyone had success with this method?
Can Webflow be used to create a "blob" elements effect in the header of a website using custom code or JavaScript?