Once you expose a backend API to make it available for your app, you need to make sure that requests to your API are coming from your app and not from malicious users.
To authenticate requests, use your app's unique app instance object, which is signed with your app's secret key.
An app instance object is a JSON object that contains information about the site an app is installed on, the current user, and the current instance of your app. Wix encrypts this object and passes it in string format to your app's iframe as a query parameter.
The app instance object contains the following useful fields:
instanceId
: ID of the current instance of your app.uid
: ID of the user who is logged into the site your app is installed on.To learn more about the app instance object and its fields, see About App Instances.
In your app’s frontend code, you need to retrieve the app instance string so you can send it along with your requests to the backend.
To retrieve the app instance string, use the following helper function in your code:
Once you've retrieved the app instance, you need to send it in requests you make to your backend. Your backend should use the app instance to authenticate requests and extract any information needed from the app instance.
To make HTTP requests to your backend with the signed instance, use something similar to the following (typescript) helper function:
This function sends the app instance string in the authorization header when making requests to the backend.
When a request is made to your app’s backend, you should authenticate it before continuing to process it. To do this, you need your app's secret key. You can get your app's secret key from the OAuth page in your app's dashboard.
Important: Store your app secret securely on your server!
The app instance string has 2 parts — signature and data. To authenticate a request, extract the signature from the app instance string sent in the request and verify it was signed with your app's secret key.
For parsing examples in a number of programming languages, see Parse Encoded App Instance Data.
Here is an example of how to parse the instance in TypeScript: