Warning: For apps that don't require redirecting users outside Wix during installation, such as for creating an external account or other custom installation behavior, we recommend using basic OAuth.
Advanced OAuth follows the industry-standard OAuth 2.0 protocol, which provides a secure way for site owners to grant your app permissions. Whenever a site owner installs your app, your app’s code must complete an OAuth handshake.
Before you start, it's important to understand how the advanced OAuth flow works. The diagram below shows the complete flow including all actions that your app, Wix, and the user must take.
Before setting up your app’s advanced OAuth settings, complete the OAuth settings in your app's dashboard.
unsafe-none
. This enables
Wix to close the redirect window as part of the flow. If the COOP of either
URL has a different value, set it to unsafe-none
.token
query parameter value. We recommend that, at this
point, you omit a sign-up or log-in step on your end. Instead, we recommend
that you immediately forward your new user to the authorization request
that’s described in the next step.https://www.wix.com/installer/install
. There,
they’re asked to approve the complete list of
permissions
that your app is requesting. Include the token
, your appId
, and
redirectUrl
as query parameters. You may also pass a state
to identify
your customers along the installation process.redirectURL
. From the redirect’s query parameters, save the
code
and instanceId
. Wix also includes state
as a query parameter
value. If the value doesn’t match the one provided by you, the request may
have been created by a third party. Then, we recommend aborting the process.code
is valid for 10 minutes. Use it to
request your app’s refresh and access token by calling
Request an Access Token.
The access token is only valid for 5 minutes. You need to request a new
access token to make Wix API calls after it expires.https://www.wix.com/installer/close-window?access_token=<ACCESS_TOKEN>
.
Make sure to replace <ACCESS_TOKEN>
with your app instance’s access token.state
is“Setup Incomplete”
. This state is
useful if your app requires users to create an account or set other
configuration parameters for the app to become active. If your app doesn’t
require user input to become active, or after the user has completed their
part, update your app instance’s state by calling
Send BI Event.
Make sure to pass {"eventName": "APP_FINISHED_CONFIGURATION"}
.After you successfully set up advanced OAuth, you can call the relevant Wix APIs described in our API Reference.
{"grant_type": "refresh_token"}
and your app’s secret key as
client_secret
in the request.Authorization
header in the relevant API call. The access token is only valid for 5 minutes.