Skip to main content

Connecting accounts

Synclify connects to Webflow and Airtable over OAuth. You authorize on the provider’s own site — Synclify never sees or stores your provider password. Webflow scopes. Synclify requests cms:read and cms:write. That’s read and write access to CMS collections and items. It does not request access to your Designer layouts, pages, site settings, billing, or account. Revoking access. Revoke Synclify from your Webflow or Airtable account settings at any time. The connected account then shows reauth required in Synclify and syncs stop until you reconnect.

OAuth integrity

Every OAuth handshake carries a one-time random state value that Synclify generates and verifies on return. If the value coming back doesn’t match the one sent, Synclify rejects it:
Invalid OAuth state. Please try again.
This prevents an attacker from tricking your browser into completing an authorization Synclify didn’t initiate (CSRF). Redirects after sign-in are validated too — Synclify only follows relative paths inside the app, never an external URL smuggled into a redirect parameter.

Your account

  • Sign in with email and password (minimum 8 characters) or Google OAuth.
  • Your session token is held in your browser. Signing out clears it.
  • If a request ever comes back unauthorized, Synclify clears your session immediately and returns you to sign-in.

Data handling

  • Airtable — Synclify reads the bases and tables you grant, at sync time. It reads row values to push them to Webflow (and, on two-way connections, writes values back).
  • Webflow — Synclify reads your collection schemas and reads/writes CMS items.
  • Synclify syncs the fields you map. Unmapped columns are not read into Webflow.

Safe writes

  • Nothing is written without a preview. A new connection stays an inert draft until you approve a full preview of the first sync. See Guided setup.
  • Deletes are opt-in. Removing a source row deletes the Webflow item only if you turned on Delete orphaned records — off by default. See Sync settings.
  • Idempotency. Every change Synclify sends carries an idempotency key, so a retried request can’t accidentally apply the same change twice.
  • Destructive actions are gated. Deleting a connection requires typing its exact name plus a written reason.

Team access

Roles scope what teammates can do — Owner (full, including billing), Member (manage connections and syncs), Client (read-only). See Team.

Reporting a problem

If Synclify hits a server error it offers to send a support report, pre-filled with the failing request’s details. For anything security-sensitive, email support@syncwebflow.com directly.