Wix's permission system is designed to keep site data secure by ensuring that only authorized users can perform sensitive operations. This means that certain API methods are restricted based on user identity and roles and permissions. For example, Confirm Booking can't be called by site visitors or site members, or by Wix users without an administrative bookings role.
However, there are legitimate scenarios where it's necessary to call a method that requires higher-level permissions than the current user has.
In Wix sites and Wix apps, you can use elevation to ensure the method is always called with the required level of authorization.
Note: In Wix headless projects, you can make calls with the required level of authorization using API key authentication.
Elevation permits users to call methods they typically can't access. Therefore, you should only use it intentionally and securely.
Due to potential security risks, methods can only be elevated in backend code.
Different development contexts require different approaches for implementing elevation. For more details, see the article corresponding to your context: