About OAuth

Your app must authenticate Wix API calls using the OAuth protocol.

By default, OAuth authentication follows the OAuth Client Credentials protocol. Using this approach, you don’t need to implement an OAuth handshake for each installation of your app. Instead, your app can request access tokens directly by passing the app ID, the app’s secret, and the relevant app instance ID.

In most cases, it’s sufficient that your app uses OAuth. Wix also offers advanced OAuth settings in case you need to identify your customers along the installation process, or if you need to redirect them at the end of the process before they see your app’s dashboard.

Advanced OAuth settings

We recommend that your app uses advanced OAuth instead of basic OAuth whenever you need to redirect your users to a URL that’s outside the Wix ecosystem during the app installation flow. For example, when your users can’t create an account for your app in the Wix dashboard.

You can choose to implement advanced OAuth settings. Keep in mind though that basic OAuth has the following main advantages compared to advanced OAuth: OAuth prevents corrupted installations. OAuth is simpler to implement, since you don’t need to set up and run a server for redirects or manage a database for refresh tokens.

Advanced OAuth follows the industry-standard OAuth 2.0 protocol, which provides a secure way for site owners to grant your app permissions. Whenever a site owner installs your app, your app’s code must complete an OAuth handshake. This requires that you set up a server to handle the relevant redirects. Then, you need to store the refresh token for the new app instance in your database. Finally, you can use the refresh token to retrieve an access token and call the relevant Wix API.

With Advanced OAuth, it’s critical that your app saves the refresh token during installation. If the process fails, you’re unable to retrieve access tokens using Refresh an Access Token. Though from the site owner’s point-of-view, it seems that the app installation has succeeded. You have 2 options in this situation: Ask the site owners to re-install your app, or fall back to retrieving access tokens with the basic OAuth strategy by calling Create Access Token.

Was this helpful?