Elevate API Call Permissions with Self-hosting

In workflows that use mostly site visitor, site member, or Wix user authentication, you may occasionally need to make calls with elevated permissions. You can use the JavaScript SDK to provide specific calls with Wix app authentication.

The process involves two steps:

  1. Setting up your app's backend code to handle elevated requests.
  2. Sending an authenticated call from your frontend code to your app's backend. Frontend code includes site extension and dashboard extension code.

Important: Exposed elevated function calls create a security risk for privilege escalation attacks. Make sure to protect your exposed function calls with the appropriate logic.

To elevate permissions for API calls:

Step 1 | Set up your app's backend

The first step is to set up your app's backend to handle requests for elevated function calls from your frontend.

To set up your backend:

  1. In your code file, import the following:
    • createClient and AppStrategy from the Wix SDK module.
    • The SDK module containing the function that you want to make elevated calls to.
    • Express
    Copy
    1

    Note: You can use your preferred method to expose HTTP functions from your self-hosted backend. For this example, we used the express NPM package.

  2. Set up an endpoint. In your endpoint's code, extract the authorization header from incoming requests. When you send requests to the endpoint from your frontend code, this header's value will be an access token that includes authentication data for the site visitor or member.
    Copy
    1
  3. In your endpoint code, use createClient() to create a client that can make authenticated SDK calls. Use AppStrategy to construct the auth value for your createClient() call. Chain a call to elevated() to your call to the AppStrategy constructor. Your createClient() call should include your app ID, app secret key, access token, and SDK module. You can find your app ID and app secret key in the Wix Dev Center.
    Copy
    1
    This call to createClient() returns a client that can make API calls with Wix app authentication. To make calls with site visitor or site member authentication, create a second client without using elevated().
  4. Use the client to make elevated calls to the functions of the SDK module.
    Copy
    1

Step 2 | Send authenticated requests from your frontend

Next, send authenticated requests from your site's frontend code to your backend endpoint.

To send requests:

  1. In your app's frontend code, import createClient() as well as the relevant host module.
    Copy
    1
  2. Create an SDK client using the auth() and host() functions from the appropriate host module.
    Copy
    1
  3. Use the client's fetchWithAuth function to make calls to your app's backend endpoint. This function automatically signs API calls with an authorization header that identifies the current site visitor or member.
    Copy
    1

See also

Was this helpful?
Yes
No