Elevate REST API Call Permissions with Self-Hosting

In workflows that use mostly site visitor, site member, or Wix user authentication, you may occasionally need to call APIs that require the elevated level of a Wix app identity for authentication. This can happen when coding in a frontend environment such as a site extension or a dashboard extension.

The process involves two steps:

  1. Setting up your app's backend code to handle requests that require Wix app permissions.
  2. Sending an authenticated call from your frontend code to your app's backend.

Important: Exposed elevated function calls create a security risk for privilege escalation attacks. Make sure to protect your exposed function calls with the appropriate logic.

To elevate permissions for API calls:

Step 1 | Set up your app's backend

The first step is to set up your app's backend to handle requests for API calls from your frontend.

To set up your backend:

  1. Set up an endpoint to receive HTTP requests. In your endpoint's code, extract the authorization header from incoming requests. When you send requests to the endpoint from your frontend code, this header's value will be an access token that includes authentication data for the site visitor or member.

  2. Retrieve the app instanceId from the access token. In your endpoint code, call Wix's Token Info endpoint. The response includes the instanceId.

    Copy
  3. Create an access token with a Wix app identity. In your endpoint code, call Wix's Create Access Token endpoint and include your instanceId in the request body. The response includes an accessToken with a Wix app identity.

    Copy
  4. In your endpoint code, use the access token to authorize calls to endpoints that require a Wix app identity for authentication.

Step 2 | Send authenticated requests from your frontend

Next, use the Wix JavaScript SDK to send authenticated requests from your site's frontend code to your backend endpoint.

To send requests:

  1. In your app's frontend code, import createClient() from the @wix/sdk package as well as the relevant host module.
    Copy
  2. Create an SDK client using the auth() and host() functions from the appropriate host module.
    Copy
  3. Use the client's fetchWithAuth function to make calls to your app's backend endpoint. This function automatically signs API calls with an authorization header that identifies the current site visitor or member.
    Copy

See also

Did this help?