Coding Examples

Sled Tests

Go Headless

Develop Websites (SDK)

Build Apps

Client (Deprecated)

API Preview

Wix CLI

Ricos

Develop Websites

API Reference

Velo

Picasso

GraphQL (Alpha)

# About Elevated Permissions

Wix's permission system is designed to keep site data secure by ensuring that only authorized users can perform sensitive operations. This means that certain API methods are restricted based on user [identity](fallback::https://dev.wix.com/docs/api-reference/articles/authentication/about-identities) and [roles and permissions](fallback::https://support.wix.com/en/article/roles-permissions-overview). For example, [Confirm Booking](fallback::https://dev.wix.com/docs/api-reference/business-solutions/bookings/bookings/bookings-writer-v2/confirm-booking) can't be called by site visitors or site members, or by Wix users without an administrative bookings role.

However, there are legitimate scenarios where it's necessary to call a method that requires higher-level permissions than the current user has. 

In Wix sites, Wix apps, and Wix-managed headless projects, you can use elevation to ensure the method is always called with the required level of authorization.

> **Note:**
> - In self-managed headless projects, use [API key authentication](portalId::d1972c09-74e2-4d36-a6f2-54e3310d4ad9resourceId::e158edfe-d6bb-40ba-9ee6-83bdafd5b2b5*fallback::https://dev.wix.com/docs/api-reference/articles/authentication/api-keys/about-api-keys) to make calls with the required level of authorization.

## Security considerations

Elevation permits [identities](fallback::https://dev.wix.com/docs/api-reference/articles/authentication/about-identities) to call methods they typically can't access. Therefore, only use elevation intentionally and securely.

Due to potential security risks, methods can only be elevated in backend code.

## Implementation approaches

::::tabs

:::REST_TAB

Different development contexts require different approaches for implementing elevation. For more details, see the article corresponding to your context:

- [Elevation in Wix apps not made in Blocks](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/authorization/about-elevation)
- [Elevation in Wix sites or Blocks apps](fallback::https://dev.wix.com/docs/develop-websites/articles/coding-with-velo/authorization/elevation)
- [Elevation in Wix-managed headless projects](fallback::https://dev.wix.com/docs/go-headless/develop-your-project/wix-managed-headless/authentication/authentication-and-api-integration)

:::

:::SDK_TAB

The use cases for elevating permissions are different depending on the type of project you are building. 

### Elevation when building apps

When building apps, calls to Wix APIs can be restricted based on user [identity](fallback::https://dev.wix.com/docs/api-reference/articles/authentication/about-identities).

For example, if an app includes a [site widget](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/extensions/site-extensions/site-widgets/about-site-widget-extensions) that manages bookings, most calls from the extension can be made with site visitor or member authentication. However, the app may also need to call APIs that can't be called when authenticated as a visitor or member, such as [Confirm Booking](fallback::https://dev.wix.com/docs/api-reference/business-solutions/bookings/bookings/bookings-writer-v2/confirm-booking). Calls to these APIs require elevation.

Learn more about [elevation when building apps](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/authorization/about-elevation).

### Elevation when building Wix-managed headless projects

When building a Wix-managed headless project, use elevation to call methods that require higher-level permissions than the current identity has. For example, calling [Get Site Properties](fallback::https://dev.wix.com/docs/api-reference/business-management/site-properties/properties/get-site-properties) requires elevation. To call backend APIs from a headless client, [set up an HTTP endpoint](fallback::https://dev.wix.com/docs/wix-cli/guides/development/http-endpoints/about-http-endpoints) and [elevate API call permissions](portalId::9d2c17b5-bdfd-4ef8-95e1-9efa463d13f5resourceId::bb871dfc-067d-4da1-983d-45767c3d5dd7*fallback::https://dev.wix.com/docs/wix-cli/guides/development/elevate-api-call-permissions).

Learn more about [elevation when building Wix-managed headless projects](fallback::https://dev.wix.com/docs/go-headless/develop-your-project/wix-managed-headless/authentication/authentication-and-api-integration).

> **Note:** For self-managed headless projects, use [API key authentication](portalId::4433709a-e41c-4551-ac9d-c21eecb23683resourceId::5f44a09e-4f2f-4769-9d9e-03bb5ad925af*fallback::https://dev.wix.com/docs/go-headless/develop-your-project/admin-operations/about-admin-operations).

### Elevation when developing websites

When developing websites, calls to Wix APIs can be restricted based on user [identity](fallback::https://dev.wix.com/docs/api-reference/articles/authentication/about-identities) or [roles and permissions](fallback::https://support.wix.com/en/article/roles-permissions-overview).

For example, if a page on a site manages bookings, it may need to call Confirm Booking. Only a Wix user with an administrative bookings role can call this method. Therefore, calls to this method from a page's code require elevation.

Learn more about elevation when [developing websites](fallback::https://dev.wix.com/docs/develop-websites/articles/coding-with-velo/authorization/elevation).

:::

::::