Go Headless

Build Apps

Client

API Preview

Develop Websites

REST

Velo

GraphQL (Alpha)

# About OAuth

Your app must authenticate Wix API calls using the OAuth protocol.

By default, OAuth authentication follows the
[OAuth Client Credentials protocol](fallback::https://oauth.net/2/grant-types/client-credentials/).
Using this approach, you don’t need to implement an OAuth handshake for each
installation of your app. Instead, your app can request access tokens directly
by passing the following values:

* App ID
* App secret
* The relevant [app instance ID](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/app-instances/about-app-instances)

<blockquote class='tip'>

**Tip:** To find your app ID and app secret, visit the [Wix Dev Center **OAuth** page](fallback::https://dev.wix.com/app-selector?title=Select+an+App&primaryButtonText=Select+Site&actionUrl=https%3A%2F%2Fdev.wix.com%2Fapps%2F%7BappId%7D%2Foauth).

</blockquote>

To get started, see [Use OAuth](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/authentication/use-oauth).

## Advanced OAuth settings

Wix offers advanced OAuth settings to allow for more control over user identification and redirection during the app installation process. We recommend that your app [use advanced OAuth](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/authentication/use-advanced-oauth) whenever you need to redirect your users to a URL outside the Wix ecosystem during the app installation flow. For example, when your users can’t create an account for your app in the Wix dashboard.

Advanced OAuth follows the industry-standard [OAuth 2.0 protocol](fallback::https://oauth.net/2/),
which provides a secure way for site owners to grant your app permissions.
Whenever a site owner installs your app, your app’s code must complete an OAuth
handshake. This requires that you set up a server to handle the relevant
redirects. Then, you need to store the refresh token for the new app instance
in your database. Finally, you can use the refresh token to retrieve an access
token and call the relevant Wix API.

With Advanced OAuth, it’s critical that your app saves the refresh token during
installation. If the process fails, you’re unable to retrieve access tokens
using [Refresh an Access Token](fallback::https://dev.wix.com/docs/rest/app-management/oauth-2/refresh-an-access-token).
Though from the site owner’s point-of-view, it seems that the app installation
has succeeded. You have 2 options in this situation: Ask the site owners to
re-install your app, or fall back to retrieving access tokens with the basic
OAuth strategy by calling [Create Access Token](fallback::https://dev.wix.com/docs/rest/app-management/oauth-2/create-access-token).

Basic OAuth has the following advantages compared to advanced OAuth:

* OAuth helps prevent corrupted installations.
* OAuth is simpler to implement, since you don't need to setup and run a server for redirects or manage a database for refresh tokens.
* With advanced OAuth, cloned sites can bypass consent flows, potentially causing issues with refresh tokens. Users may need to reinstall the app to obtain the required refresh token for proper installation.

To get started, see [Use Advanced OAuth](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/authentication/use-advanced-oauth).