About Authentication for Wix Apps
To ensure a secure connection, third-party apps integrating with Wix APIs must authenticate using the OAuth protocol. The access token and permissions granted vary depending on the authentication method:
- App instance, or an instance of your app on a specific site
- On behalf of a Wix user
- On behalf of a site visitor or member
To learn more, see About Identities.
Note: Wix offers API keys for authentication, but they aren’t available for use in third-party Wix apps.
Authentication as an app instance
This authentication strategy returns an app token with the permission scopes granted to the app. To authenticate as an app, you’ll need the app ID, app secret, and the app instance ID, which serves as a unique identifier for the app within a given website.
For more information, see Authenticate as an App Instance.
Note: If your app requires custom installation behavior, like redirecting site owners outside the Wix ecosystem, see Use Advanced OAuth. The article explains how to use advanced OAuth settings for installation and subsequently authenticate your API requests as an app instance.
Authentication on behalf of a Wix user
This authentication strategy returns a Wix app token with the intersection of permission scopes granted to the app and the Wix user in context. With this capability, apps with a dashboard page can identify requests that match the permissions of the Wix user in the dashboard. Wix users can have distinct user roles, resulting in variations in the permissions your app is granted for each user.
For example, if your app has permissions to add products to a store, but the current user doesn't, your app won't be able to add products to the store. Conversely, if the current user has permissions to add products to a store, but your app doesn't, your app won't be able to add products to the store. The only way your app can add products to a store is if both your app and the current user have permissions to do so.
For more information, see Authenticate on behalf of a Wix User.
Important: This authentication approach is currently only supported for dashboard pages.
Authentication on behalf of a site visitor or member
Wix Blocks apps can authenticate based on the permission scopes granted to both the app and the site visitor or member. For Wix Blocks, authentication is built-in, as the site running the app knows the identity of the site member or visitor calling the API.