In workflows that use mostly site visitor, site member, or Wix user authentication, you may occasionally need to call APIs that require the elevated level of a Wix app identity for authentication. This can happen when coding in a frontend environment such as a site extension or a dashboard extension.
The process involves two steps:
Important: Exposed elevated function calls create a security risk for privilege escalation attacks. Make sure to protect your exposed function calls with the appropriate logic.
To elevate permissions for API calls:
The first step is to set up your app's backend to handle requests for API calls from your frontend.
To set up your backend:
Set up an endpoint to receive HTTP requests. In your endpoint's code, extract the authorization header from incoming requests. When you send requests to the endpoint from your frontend code, this header's value will be an access token that includes authentication data for the site visitor or member.
Retrieve the app instanceId from the access token. In your endpoint code, call Wix's Token Info endpoint. The response includes the instanceId.
Create an access token with a Wix app identity. In your endpoint code, call Wix's Create Access Token endpoint and include your instanceId in the request body. The response includes an accessToken with a Wix app identity.
In your endpoint code, use the access token to authorize calls to endpoints that require a Wix app identity for authentication.
Next, use the Wix JavaScript SDK to send authenticated requests from your site's frontend code to your backend endpoint.
To send requests:
createClient() from the @wix/sdk package as well as the relevant host module.
auth() and host() functions from the appropriate host module.
fetchWithAuth function to make calls to your app's backend endpoint. This function automatically signs API calls with an authorization header that identifies the current site visitor or member.