Skip to main content
RapidDev - Software Development Agency
flutterflow-integrationsFlutterFlow API Call

Moz

Connect FlutterFlow to Moz by creating an API Group with base URL https://lsapi.seomoz.com/v2 and an Authorization header using HTTP Basic Auth (your Access ID and Secret Key base64-encoded together). The key endpoint is a POST to /url_metrics with a JSON body. Because base64 is encoding not encryption, route credentials through a Firebase Cloud Function proxy rather than shipping them in the compiled app.

What you'll learn

  • How to create a FlutterFlow API Group for Moz with an HTTP Basic Auth header
  • How to base64-encode your Moz Access ID and Secret Key for the Authorization header
  • How to configure a POST request with a JSON body containing target URLs
  • How to parse Domain Authority and Page Authority from the JSON response using JSON Path
  • How to proxy Basic Auth credentials through a Firebase Cloud Function to keep them off the client
Book a free consultation
4.9Clutch rating
600+Happy partners
17+Countries served
190+Team members
Intermediate15 min read40 minutesMarketingLast updated July 2026RapidDev Engineering Team
TL;DR

Connect FlutterFlow to Moz by creating an API Group with base URL https://lsapi.seomoz.com/v2 and an Authorization header using HTTP Basic Auth (your Access ID and Secret Key base64-encoded together). The key endpoint is a POST to /url_metrics with a JSON body. Because base64 is encoding not encryption, route credentials through a Firebase Cloud Function proxy rather than shipping them in the compiled app.

Quick facts about this guide
FactValue
ToolMoz
CategoryMarketing
MethodFlutterFlow API Call
DifficultyIntermediate
Time required40 minutes
Last updatedJuly 2026

Build a Domain Authority Checker App with Moz and FlutterFlow

Moz's Links API is the tool of choice for checking Domain Authority (DA) and Page Authority (PA) — two of the most widely recognized third-party metrics in SEO. Unlike the query-parameter authentication used by SEMrush or Serpstat, Moz uses HTTP Basic Auth: you send a base64-encoded string of 'AccessID:SecretKey' in an Authorization header. The API is also a POST endpoint rather than a GET, accepting a JSON body with a 'targets' array of URLs. Both of these patterns (POST + Basic Auth) differ from the other SEO API tutorials here, which is what keeps the Moz page distinct and non-duplicative.

The free tier of the Moz Links API is tightly limited — roughly 10 rows per query and a low monthly request cap. For a simple DA/PA checker, the free tier is sufficient for testing and low-traffic internal tools. Paid tiers lift the row limit and monthly cap; check the current Moz pricing page for details, as plans change periodically.

In FlutterFlow, you configure an API Group with the Basic Auth header and one API Call for the url_metrics POST endpoint. Because the response is JSON, FlutterFlow's built-in JSON Path tool works perfectly: you generate extractors for $.results[0].domain_authority and $.results[0].page_authority, then bind those values to Text widgets on a dashboard card. The remaining challenge is security: base64 encoding is not encryption, and anyone who decodes the Authorization header value from your compiled app recovers your raw Access ID and Secret Key. The proxy pattern resolves this, as with all the SEO API integrations in this category.

Integration method

FlutterFlow API Call

FlutterFlow connects to Moz's Links API through an API Group with base URL https://lsapi.seomoz.com/v2, using an HTTP Basic Auth header (base64-encoded Access ID and Secret Key). The url_metrics endpoint is a POST request that accepts a JSON body listing one or more target URLs, and returns Domain Authority and Page Authority scores as JSON. A Firebase Cloud Function proxy holds the credentials server-side so they never appear in the compiled Dart binary.

Prerequisites

  • A Moz Pro account or a registered Moz API access with Access ID and Secret Key (generate at moz.com/api)
  • Your Moz Access ID and Secret Key — both are required for HTTP Basic Auth
  • A FlutterFlow project (free or paid) with a screen ready to display DA/PA data
  • A Firebase project for the Cloud Function proxy that will hold your Moz credentials
  • Basic familiarity with FlutterFlow's API Calls panel; understanding of what HTTP POST requests are is helpful

Step-by-step guide

1

Generate your Moz API credentials and understand Basic Auth

Before creating anything in FlutterFlow, you need two credentials from the Moz API dashboard: your Access ID and your Secret Key. Log into your Moz account, navigate to moz.com/api, and generate API credentials if you haven't already. You will see an Access ID (a string starting with 'mozscape-') and a Secret Key (a longer random string). HTTP Basic Auth encodes these as a single string in the format 'AccessID:SecretKey' (with a colon separating them), then base64-encodes that combined string, and sends it as the value of an Authorization header: 'Authorization: Basic [base64value]'. In a web browser you can generate the base64 value by opening the browser console and typing btoa('YOUR_ACCESS_ID:YOUR_SECRET_KEY'). Keep the result — you will use it in the Cloud Function and in testing. The important security point here is that base64 is a reversible encoding, not encryption. Anyone who intercepts or extracts the Authorization header value can immediately decode it back to your raw Access ID and Secret Key with atob() or any base64 decoder. This is why the credentials must stay in a server-side environment — the Cloud Function proxy — rather than being hardcoded in a FlutterFlow API Call header.

generate_basic_auth.js
1// Generate base64 Basic Auth string (for testing only — do NOT put in FlutterFlow)
2// In a browser console:
3const accessId = 'YOUR_ACCESS_ID'; // e.g. mozscape-abc123
4const secretKey = 'YOUR_SECRET_KEY';
5const base64Auth = btoa(`${accessId}:${secretKey}`);
6console.log('Authorization: Basic ' + base64Auth);
7// Use this value ONLY in your Cloud Function environment variable, not in FlutterFlow

Pro tip: Store both the raw credentials AND the base64 value in a password manager. You will need the base64 value to set it in the Firebase function config, and the raw values if you ever need to regenerate.

Expected result: You have your Moz Access ID, Secret Key, and the base64-encoded 'AccessID:SecretKey' string ready for the next step.

2

Deploy a Firebase Cloud Function proxy for Moz

The Cloud Function proxy intercepts FlutterFlow's requests and adds the Moz Basic Auth header server-side. FlutterFlow calls the function URL (which is public and has no secrets in it); the function adds the Authorization header using a stored environment variable, sends the POST to Moz's Links API, and returns the JSON response. Create a Firebase Cloud Function project (or add to an existing one). The function is an HTTP function that accepts POST requests from FlutterFlow. The request body from FlutterFlow contains the targets array. The function reads the base64-encoded credentials from process.env.MOZ_AUTH, constructs the Authorization header, POSTs to https://lsapi.seomoz.com/v2/url_metrics with the correct Content-Type: application/json header, and returns the Moz JSON response. Set the environment variable with: firebase functions:config:set moz.auth='Basic BASE64VALUE' (replace BASE64VALUE with the base64 string from Step 1). Deploy with firebase deploy --only functions. Test the function URL directly by sending a POST with a JSON body: {"targets": ["example.com"]} — you should get back a JSON response with domain_authority and page_authority fields.

index.js
1// Firebase Cloud Function proxy for Moz Links API (functions/index.js)
2const functions = require('firebase-functions');
3const axios = require('axios');
4
5exports.mozProxy = functions.https.onRequest(async (req, res) => {
6 // CORS for FlutterFlow web builds
7 res.set('Access-Control-Allow-Origin', '*');
8 res.set('Access-Control-Allow-Methods', 'POST, OPTIONS');
9 res.set('Access-Control-Allow-Headers', 'Content-Type');
10 if (req.method === 'OPTIONS') { res.status(204).send(''); return; }
11 if (req.method !== 'POST') {
12 return res.status(405).json({ error: 'Method not allowed' });
13 }
14
15 const authHeader = process.env.MOZ_AUTH; // e.g. 'Basic BASE64VALUE'
16 const targets = req.body?.targets;
17
18 if (!targets || !Array.isArray(targets) || targets.length === 0) {
19 return res.status(400).json({ error: 'targets array is required' });
20 }
21
22 try {
23 const response = await axios.post(
24 'https://lsapi.seomoz.com/v2/url_metrics',
25 { targets },
26 {
27 headers: {
28 Authorization: authHeader,
29 'Content-Type': 'application/json'
30 }
31 }
32 );
33 res.json(response.data);
34 } catch (err) {
35 const status = err.response?.status || 500;
36 res.status(status).json({ error: err.message, details: err.response?.data });
37 }
38});

Pro tip: Moz limits the free tier to approximately 10 rows per query. If your targets array has more than 10 items, the API returns results for the first 10 only (not an error). For larger batches, paginate the targets array in your Custom Action.

Expected result: The Cloud Function is deployed and returns JSON with domain_authority and page_authority when you POST {"targets": ["example.com"]} to its URL.

3

Create the Moz API Group and url_metrics POST call in FlutterFlow

With the proxy running, create the FlutterFlow API Group that points to your Cloud Function. Open FlutterFlow and navigate to API Calls in the left nav. Click + Add → Create API Group. Name it Moz. In the Base URL field, paste your Cloud Function URL: https://us-central1-YOUR_PROJECT.cloudfunctions.net/mozProxy. No Authorization header is needed at the FlutterFlow level since authentication happens inside the Cloud Function. Save the group. Next, click + inside the Moz group → Create API Call. Name it Get URL Metrics. Set the HTTP Method to POST (this is important — it is not a GET). In the Body section, set the Body Type to JSON and enter the body template. Go to the Variables tab and add a variable named targets of type String (you will pass a JSON array string, e.g. '["example.com"]', or build it dynamically in an action). In the Body field, reference the variable: the body should be {"targets": {{targets}}}. Alternatively, if you want to accept a single domain as a string, build the array in the body as {"targets": ["{{target_url}}"]}, with a variable named target_url (String). Switch to Response & Test. Set the target_url test value to example.com and run the test. You should receive a JSON response containing a results array with domain_authority, page_authority, links_in, and root_domains_linking_in fields. Click Generate JSON Paths. Map $.results[0].domain_authority → domainAuthority, $.results[0].page_authority → pageAuthority, and $.results[0].root_domains_linking_in → linkingRootDomains. Save.

moz_api_call.json
1// API Call POST body template (configured in FlutterFlow Body tab)
2{
3 "targets": ["{{target_url}}"]
4}
5
6// JSON Paths to extract from response:
7// domainAuthority → $.results[0].domain_authority
8// pageAuthority → $.results[0].page_authority
9// linkingRootDomains → $.results[0].root_domains_linking_in
10// totalExternalLinks → $.results[0].links_in

Pro tip: The Moz Links API also returns 'spam_score' (0-17) for domains. Add it to your JSON Paths if you want to show users a spam risk indicator alongside DA/PA — it is a popular secondary metric.

Expected result: The Get URL Metrics API Call is saved, the POST body is set to JSON, and the test panel returns domain_authority and page_authority for a test domain.

4

Build the DA/PA checker UI and wire the action flow

Now build the visible part of the app: a clean domain authority checker screen where a user enters a URL, taps Check, and sees DA and PA scores returned from Moz. On your main screen, add a TextField widget (hint text: 'Enter a domain or URL') and a Button labeled Check Authority. In the Button's Actions panel, build the following sequence: 1. Validate that the TextField is not empty; if empty, show a Snackbar: 'Please enter a domain or URL'. 2. Set a boolean App State variable isLoading = true (show a CircularProgressIndicator over the button). 3. Backend/API Call → Moz → Get URL Metrics, passing the TextField value as target_url. 4. On success: update a custom Data Type variable (MozResult) in App State with the extracted domainAuthority, pageAuthority, and linkingRootDomains values from the JSON Paths. Set isLoading = false. 5. On error: set isLoading = false and show a Dialog with the error message (e.g. '429 Too Many Requests — Moz rate limit hit'). For the display, add a Row of metric cards below the TextField. Each card has a large bold number (the DA or PA score) and a label below it. Use Conditional Visibility to show the cards only when App State.mozResult is not null. A Color widget can gradient the card background from green (high score) to red (low score) using the DA value for a more visually polished result. Finally, add a small note below the results: 'Data from Moz Links API via mozProxy — refreshed on demand.' This helps users understand the data source and that it doesn't update automatically.

Pro tip: If you'd rather have a FlutterFlow expert set up the Moz proxy and UI for you, RapidDev's team builds integrations like this every week — free scoping call at rapidevelopers.com/contact.

Expected result: The DA/PA checker screen works end to end: entering a domain and tapping Check returns Domain Authority and Page Authority scores displayed in metric cards.

5

Handle free-tier limits and test on device

The Moz free tier imposes strict limits — a low monthly request count and a maximum of roughly 10 URL targets per query. As you test, you will quickly exhaust the free quota if you call the API repeatedly. To work within these constraints, implement two safeguards. First, cache results in a Supabase or Firestore collection keyed by domain. Before calling Moz, check the database for a cached DA value with a timestamp within the last 7 days. If found, show the cached value and skip the API call. Only call Moz if the cache is empty or stale. This pattern extends your free-tier quota dramatically for an app that checks a recurring list of domains. Second, add rate-limit handling in your action flow. If the API Call returns a 429 response (Too Many Requests), catch it and show a user-friendly message: 'Moz rate limit reached — please wait a moment and try again.' Do not retry automatically in a loop, as this will continue triggering 429s and draining quota. For mobile testing, FlutterFlow's Run mode (browser) works fine with the proxy. For native app testing, use FlutterFlow's preview on a connected device or export the project and run it locally. The HTTPS call to your Cloud Function URL works identically on iOS, Android, and web.

Pro tip: Moz free-tier quotas reset monthly. If you are building a prototype and hit the limit during development, either pause testing until the next month or upgrade to a paid Moz API plan. Note that free-tier row limits (not just monthly caps) mean batching more than ~10 targets per POST returns partial results silently.

Expected result: Caching is implemented, rate-limit errors are handled gracefully, and the app works correctly on both web Run mode and a native device build.

Common use cases

Domain Authority and Page Authority checker

Build a simple internal app where a user types a domain or URL, taps Check, and sees its Moz Domain Authority and Page Authority scores on a card. The app calls a Cloud Function proxy that forwards the POST to Moz with the Basic Auth credentials, parses the JSON response, and displays DA (0-100) and PA (0-100) alongside the number of linking root domains. The results are cached in App State so repeated lookups for the same URL don't re-consume free-tier quota.

FlutterFlow Prompt

An app where a user enters a URL or domain and sees its Moz Domain Authority score, Page Authority score, and number of linking root domains in a clean card layout.

Copy this prompt to try it in FlutterFlow

Link prospecting tool — batch authority check

Build a link-prospecting screen where an outreach team pastes a list of domains into a multi-line TextField, submits them as a batch via the Moz url_metrics POST (up to 10 URLs per request on the free tier), and sees each domain's DA score in a sortable ListView. High-authority domains are highlighted with a badge, making it easy to prioritize link-building outreach.

FlutterFlow Prompt

A link prospecting app where a user enters up to 10 domains and sees their Domain Authority scores in a sortable list, with high-DA domains highlighted.

Copy this prompt to try it in FlutterFlow

Content audit — page authority comparison

Build a content performance screen that lists your site's key URLs and their Page Authority scores side by side. An editor can add URLs to a Firestore or Supabase collection, and the app fetches PA for each URL from Moz's url_metrics endpoint on demand. The scores update weekly (stored in the database with a timestamp) so the app does not exhaust the free-tier quota with daily re-fetches.

FlutterFlow Prompt

A content audit app that stores a list of page URLs in a database and displays their Moz Page Authority scores, refreshed on demand and cached in the database with a last-updated timestamp.

Copy this prompt to try it in FlutterFlow

Troubleshooting

401 Unauthorized from Moz API — 'Access denied'

Cause: The Basic Auth credentials are incorrect, expired, or formatted wrongly. A common mistake is having the Access ID and Secret Key in the wrong order when generating the base64 string (it must be 'AccessID:SecretKey', not the reverse).

Solution: Regenerate the base64 string by running btoa('YOUR_ACCESS_ID:YOUR_SECRET_KEY') in a browser console. Update the MOZ_AUTH environment variable in your Firebase Function config to 'Basic [new_base64_string]'. Redeploy the function and test again. Confirm your Moz API access is active at moz.com/api.

429 Too Many Requests — app stops returning data

Cause: You have exceeded the Moz free-tier rate limit (per-second cap or monthly request cap). The API returns HTTP 429 when either limit is exceeded.

Solution: On the per-second limit: add a short delay in your Cloud Function before forwarding to Moz (setTimeout of 200ms) if you are making burst calls. On the monthly limit: implement caching of results in Firestore or Supabase (as described in Step 5) to minimize API calls. Consider upgrading to a paid Moz API tier if your app needs frequent lookups.

XMLHttpRequest error in FlutterFlow Run mode — CORS blocked

Cause: You are calling https://lsapi.seomoz.com/v2/url_metrics directly (without the proxy) from FlutterFlow's browser-based Run mode. Moz blocks cross-origin browser requests.

Solution: Ensure your API Group's base URL is your Firebase Cloud Function URL, not lsapi.seomoz.com. The Cloud Function adds Access-Control-Allow-Origin: * headers to all responses, resolving CORS for web builds. Check the API Group configuration in FlutterFlow's left nav → API Calls.

Response body is empty or API Call returns 400 Bad Request

Cause: The POST body is malformed. The Moz url_metrics endpoint requires the body to be valid JSON with a 'targets' key containing a non-empty array. A common FlutterFlow mistake is setting the body type to 'None' or 'x-www-form-urlencoded' instead of 'JSON'.

Solution: In the API Call settings, go to the Body tab and confirm the Body Type is set to JSON. Verify the body template is {"targets": ["{{target_url}}"]} with proper quote escaping. In the test panel, confirm the resolved body shows a valid JSON array before running the test.

Best practices

  • Never hardcode the Moz Access ID or Secret Key in a FlutterFlow API Call header — base64 is not encryption and the credentials are instantly recoverable from the header value. Always use the Cloud Function proxy with credentials in environment variables.
  • Cache DA/PA results in Firestore or Supabase keyed by domain with a timestamp, and only call Moz when the cache is missing or older than 7 days — this dramatically extends your free-tier monthly quota.
  • Handle HTTP 429 responses explicitly in your action flow by showing a user-friendly rate-limit message rather than retrying in a loop, which would worsen the problem.
  • Limit your POST targets array to 10 URLs on the free tier — sending more than the tier allows returns partial results without an error, making it hard to notice data is missing.
  • Include the spam_score field in your JSON Path extractors and display it alongside DA/PA — it is a useful secondary signal that costs no extra API calls.
  • Use Conditional Visibility to hide the results column until data is loaded, preventing users from seeing stale or zero values from a previous search.
  • Log all Cloud Function invocations (domain queried, timestamp, response status) in Firestore so you can audit monthly usage and stay within your tier limits.

Alternatives

Frequently asked questions

Is there a free tier for the Moz Links API?

Yes, Moz offers a free Links API tier with a limited monthly request quota and a maximum of approximately 10 URL targets per query. This is sufficient for prototyping and low-traffic internal tools. Check the current free tier limits at moz.com/api, as the caps can change. For production apps with frequent lookups, you will likely need a paid Moz API plan.

Why is the Moz endpoint a POST and not a GET?

The Moz url_metrics endpoint accepts an array of target URLs in the request body, which is a design choice that allows batch lookups in a single call. GET requests cannot reliably carry a body, so Moz chose POST for this endpoint. This is different from most other SEO API endpoints in this category that use GET with query parameters — make sure you set the HTTP method to POST in FlutterFlow, not GET.

Can I look up multiple domains in one API call?

Yes. The targets array in the POST body can contain multiple URLs or domains. However, the free tier limits the number of rows returned per query — approximately 10. If you pass more than 10 targets on the free tier, Moz returns results for the first batch only without an error. On paid tiers, the row limit per query is higher — check your current plan documentation for the exact cap.

Does the integration work on both iOS and Android?

Yes. Since the app calls your Cloud Function URL over HTTPS, there are no platform-specific permissions or native SDK dependencies needed. The integration works identically on iOS, Android, and web builds without any Permissions configuration in FlutterFlow's Settings & Integrations panel.

What is Domain Authority and how is it different from Page Authority?

Domain Authority (DA) is Moz's score (0-100) predicting how well an entire domain will rank in search results, based on the quality and quantity of links to the root domain. Page Authority (PA) is the same scale applied to a specific URL rather than the whole domain. Both are Moz-proprietary metrics — they are not used directly by Google but are widely used in the SEO industry to compare site and page strength.

RapidDev

Talk to an Expert

Our team has built 600+ apps. Get personalized help with your project.

Book a free consultation

Integrations are where projects stall

We wire FlutterFlow integrations like this one every week — auth, webhooks, edge cases included. Fixed-price builds from $13K, delivered in 6–10 weeks.

Talk to an integration engineer

We put the rapid in RapidDev

Need a dedicated strategic tech and growth partner? Discover what RapidDev can do for your business! Book a call with our team to schedule a free, no-obligation consultation. We'll discuss your project and provide a custom quote at no cost.