About Authentication for Wix Apps
To ensure a secure connection, third-party apps integrating with Wix APIs must authenticate using the OAuth protocol. The access token and permissions granted vary depending on the authentication method:
- App instance, or an instance of your app on a specific site
- On behalf of a Wix user
- On behalf of a site visitor or member
To learn more, see About Identities.
Note: Wix offers API keys for authentication, but they aren’t available for use in third-party Wix apps.
Authentication as an app instance
When your app authenticates as an app instance, the authentication token grants access only to the permissions associated with the app. To authenticate as an app, you’ll need the app ID, app secret, and the app instance ID, which serves as a unique identifier for the app within a given website.
For more information, see Authenticate as an App Instance.
Note: If your app requires custom installation behavior, like redirecting site owners outside the Wix ecosystem, see Use Advanced OAuth. The article explains how to use advanced OAuth settings for installation and subsequently authenticate your API requests as an app instance.
Authentication on behalf of a Wix user
Your app can authenticate on behalf of a Wix user to get an access token that includes the permissions granted to both the app and the user. With this capability, apps with a dashboard page can identify requests that match the permissions of the Wix user in the dashboard. Wix users can have distinct user roles, resulting in variations in the permissions your app is granted for each user.
For example, if your app has permissions to add products to a store, but the current user doesn't, your app won't be able to add products to the store. Conversely, if the current user has permissions to add products to a store, but your app doesn't, your app won't be able to add products to the store. The only way your app can add products to a store is if both your app and the current user have permissions to do so.
In Wix-hosted apps, such as those built with Wix Blocks or the CLI, authentication is built-in.
For self-hosted apps, learn how to Authenticate on behalf of a Wix User.
Important: This authentication approach is currently only supported for dashboard pages.
Authentication on behalf of a site visitor or member
Your app can authenticate on behalf of a site visitor or member to get an access token that includes the permissions granted to both the app and the site visitor or member.
For example, APIs like Get Current Cart, which are normally accessible only by site visitors or members, can also be called by your app if it has the required permissions listed in the API reference.
In Wix-hosted apps, such as those built with Wix Blocks or the CLI, authentication is built-in.
For self-hosted apps, implement this method for: