by webflow
Model Context Protocol (MCP) server for the Webflow Data API.
# Add to your Claude Code skills
git clone https://github.com/webflow/mcp-serverGuides for using mcp servers skills like mcp-server.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@modelcontextprotocol/sdk: @modelcontextprotocol/sdk has cross-client data leak via shared server/transport instance reuse",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "bn.js: bn.js affected by an infinite loop",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "browserify-sign: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "create-ecdh: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "crypto-browserify: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "elliptic: Elliptic Uses a Cryptographic Primitive with a Risky Implementation",
"severity": "low"
},
{
"type": "npm-audit",
"message": "engine.io: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "socket.io-adapter: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "webflow-api: Vulnerability found",
"severity": "low"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-05-30T16:20:15.192Z",
"npmAuditRan": true,
"pipAuditRan": true
}mcp-server is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by webflow. Model Context Protocol (MCP) server for the Webflow Data API. It has 133 GitHub stars.
mcp-server returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/webflow/mcp-server" and add it to your Claude Code skills directory (see the Installation section above).
mcp-server is primarily written in TypeScript. It is open-source under webflow on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcp-server against similar tools.
No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
A Node.js server implementing Model Context Protocol (MCP) for Webflow using the Webflow JavaScript SDK. Enable AI agents to interact with Webflow APIs. Learn more about Webflow's Data API in the developer documentation.
Get started by installing Webflow's remote MCP server. The remote server uses OAuth to authenticate with your Webflow sites, and a companion app that syncs your live canvas with your AI agent.
Note: The MCP server currently supports Node.js 22.3.0 or higher. If you run into version issues, see the Node.js compatibility guidance.
Settings → Cursor Settings → MCP & Integrations.+ New MCP Server..cursor/mcp.json (or add the webflow part to your existing configuration):{
"mcpServers": {
"webflow": {
"url": "https://mcp.webflow.com/sse"
}
}
}
Tip: You can create a project-level
mcp.jsonto avoid repeated auth prompts across multiple Cursor windows. See Cursor’s docs on configuration locations.
Give me a link to open <MY_SITE_NAME> in the Webflow Designer
E).Try these in your AI chat:
Analyze my last 5 blog posts and suggest 3 new topic ideas with SEO keywords
Find older blog posts that mention similar topics and add internal links to my latest post
Create a hero section card on my home page with a CTA button and responsive design
Help → Troubleshooting → Enable Developer Mode.File → Settings → Developer.Get Started or edit the configuration to open claude_desktop_config.json and add:{
"mcpServers": {
"webflow": {
"command": "npx",
"args": ["mcp-remote", "https://mcp.webflow.com/sse"]
}
}
}
Cmd/Ctrl + R). An OAuth login page will open to authorize sites.Give me a link to open <MY_SITE_NAME> in the Webflow Designer
E).Analyze my last 5 blog posts and suggest 3 new topic ideas with SEO keywords
Find older blog posts that mention similar topics and add internal links to my latest post
Create a hero section card on my home page with a CTA button and responsive design
To reset your OAuth token, run the following command in your terminal.
rm -rf ~/.mcp-auth
Please see the Node.js compatibility guidance on Webflow's developer docs.
You can also configure the MCP server to run locally. This requires:
Before connecting the local MCP server to your AI client, you must create and publish the Webflow MCP Bridge App in your workspace.
Register a Webflow App
Get the MCP Bridge App code
bundle.zip from the releases page.git clone https://github.com/virat21/webflow-mcp-bridge-app
cd webflow-mcp-bridge-app
Publish the Designer Extension
bundle.zip file.Open the App in Designer
Add to .cursor/mcp.json:
{
"mcpServers": {
"webflow": {
"command": "npx",
"args": ["-y", "webflow-mcp-server@latest"],
"env": {
"WEBFLOW_TOKEN": "<YOUR_WEBFLOW_TOKEN>"
}
}
}
}
Add to claude_desktop_config.json:
{
"mcpServers": {
"webflow": {
"command": "npx",
"args": ["-y", "webflow-mcp-server@latest"],
"env": {
"WEBFLOW_TOKEN": "<YOUR_WEBFLOW_TOKEN>"
}
}
}
}
E) and launch your published “Webflow MCP Bridge App”.get_designer_app_connection_info tool from your AI client and paste the returned http://localhost:<port> URL.WEBFLOW_TOKEN="<YOUR_WEBFLOW_TOKEN>" npx -y webflow-mcp-server@latest
# PowerShell
$env:WEBFLOW_TOKEN="<YOUR_WEBFLOW_TOKEN>"
npx -y webflow-mcp-server@latest
To reset your OAuth token, run the following command in your terminal.
rm -rf ~/.mcp-auth
Please see the Node.js compatibility guidance on Webflow's developer docs.
If you are having issues starting the server in your MCP client e.g. Cursor or Claude Desktop, please try the following.
YOUR_WEBFLOW_TOKEN in your MCP client configuration with the token you copiedRun the following commands to confirm you have Node and NPM installed:
node -v
npm -v
Sometimes clearing your NPM cache can resolve issues with npx.
npm cache clean --force
If npm -v doesn't work for you but sudo npm -v does, you may need to fix NPM global package permissions. See the official NPM docs for more information.
Note: if you are making changes to your shell configuration, you may need to restart your shell for changes to take effect.
See the ./tools directory for a list of available tools
This implementation doesn't include prompts or resources from the MCP specification. However, this may change in the future when there is broader support across popular MCP clients.
The pages_update_static_content endpoint currently only supports updates to localized static pages in secondary locales. Updates to static content in the default locale aren't supported and will result in errors.