> ## Documentation Index
> Fetch the complete documentation index at: https://docs.synclify.cloud/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Synclify authorizes, stores credentials, and protects your data.

## Connecting accounts

Synclify connects to Webflow and Airtable over **OAuth**. You authorize on the provider's own site — Synclify never sees or stores your provider password.

**Webflow scopes.** Synclify requests `cms:read` and `cms:write`. That's read and write access to CMS collections and items. It does **not** request access to your Designer layouts, pages, site settings, billing, or account.

**Revoking access.** Revoke Synclify from your Webflow or Airtable account settings at any time. The connected account then shows `reauth required` in Synclify and syncs stop until you reconnect.

## OAuth integrity

Every OAuth handshake carries a one-time random `state` value that Synclify generates and verifies on return. If the value coming back doesn't match the one sent, Synclify rejects it:

> Invalid OAuth state. Please try again.

This prevents an attacker from tricking your browser into completing an authorization Synclify didn't initiate (CSRF).

Redirects after sign-in are validated too — Synclify only follows relative paths inside the app, never an external URL smuggled into a redirect parameter.

## Your account

* Sign in with email and password (**minimum 8 characters**) or Google OAuth.
* Your session token is held in your browser. Signing out clears it.
* If a request ever comes back unauthorized, Synclify clears your session immediately and returns you to sign-in.

## Data handling

* **Airtable** — Synclify reads the bases and tables you grant, at sync time. It reads row values to push them to Webflow (and, on two-way connections, writes values back).
* **Webflow** — Synclify reads your collection schemas and reads/writes CMS items.
* Synclify syncs the fields you map. Unmapped columns are not read into Webflow.

## Safe writes

* **Nothing is written without a preview.** A new connection stays an inert draft until you approve a full preview of the first sync. See [Guided setup](/connections/guided-setup).
* **Deletes are opt-in.** Removing a source row deletes the Webflow item only if you turned on **Delete orphaned records** — off by default. See [Sync settings](/connections/sync-settings).
* **Idempotency.** Every change Synclify sends carries an idempotency key, so a retried request can't accidentally apply the same change twice.
* **Destructive actions are gated.** Deleting a connection requires typing its exact name plus a written reason.

## Team access

Roles scope what teammates can do — **Owner** (full, including billing), **Member** (manage connections and syncs), **Client** (read-only). See [Team](/account/team).

## Reporting a problem

If Synclify hits a server error it offers to send a support report, pre-filled with the failing request's details. For anything security-sensitive, email [support@syncwebflow.com](mailto:support@syncwebflow.com) directly.
