Get to know our frameworks

Select an app template built on your preferred framework.

Build apps on our native app editor. Use drag and drop elements, Velo code and Wix APIs to develop custom features.

Streamline your app development process with the Wix CLI. Get a familiar developer experience with minimal setup and configuration.

Take full control over your app's tech stack, deployment, and hosting.

App templates

Wix Blocks templates

Wix CLI templates

Self-hosted templates

Kickstart your app development with templates built on your preferred Wix developer tool. Browse templates for practical foundation and get to know the Wix ecosystem.

Wix App Templates for Developers

This example apps can be used as a starting point for building your own app, for concrete examples of how to use Wix framework, or for inspiration.

Choose a template.<0 />Build an app.

Browse by:

How to build it step by step:

This template is built with:

Read how this template was built, step by step.

How we built this template

Deployment instructions:

Choose a package manager and run the command in your terminal.

Copy command

Before you get started, make sure you have the following:

Prerequisite steps

Get started with Wix CLI

Begin by setting up your Next.js project with your preferred hosting platform.

Select your hosting service

Start the deployment flow and set up your template repo on Netlify. After you finish set up, come back here and add your Netlify custom domain.

Copy the code from our Git repo to deploy your app on any platform that supports Next.js.

Start the deployment flow and set up your template repo on Vercel. After you finish set up, come back here and add your Vercel generated URL.

Add the base URL and give your app a name.

App details

Go to the app dashboard and test your app to ensure a smooth integration within the Wix ecosystem. <0>Learn more about app checks and testing</0>

Define your environment

Terminal

Related templates

Note

Warning

Your app name will be used as the namespace suffix.

Name your app to generate a namespace. This lets you refer to your app in code later on.

Go Headless

Build Apps

Client

API Preview

Ricos

Develop Websites

REST

Velo

GraphQL (Alpha)

# Authenticate Incoming Requests to Your Backend

Once you expose a backend API to make it available for your app, you need to make sure that requests to your API are coming from your app and not from malicious users.

To authenticate requests, use your app's unique app instance object, which is signed with your app's secret key.

## App instance object

An app instance object is a JSON object that contains information about the site an app is installed on, the current user, and the current instance of your app. Wix encrypts this object and passes it in string format to your app's iframe as a query parameter.

The app instance object contains the following useful fields:

- **`instanceId`**: ID of the current instance of your app.
- **`uid`**: ID of the user who is logged into the site your app is installed on.

To learn more about the app instance object and its fields, see [About App Instances](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/app-instances/about-app-instances).

## Step 1 | Get the app instance

In your app’s frontend code, you need to retrieve the app instance string so you can send it along with your requests to the backend.

To retrieve the app instance string, use the following helper function in your code:

```ts
export function getAppInstance() {
  return new URLSearchParams(window.location.search).get('instance')!;
}
```

## Step 2 | Send the app instance

Once you've retrieved the app instance, you need to send it in requests you make to your backend. Your backend should use the app instance to authenticate requests and extract any information needed from the app instance.

To make HTTP requests to your backend with the signed instance, use something similar to the following (typescript) helper function:

```ts
export async function fetchWithWixInstance(url: string, options: RequestInit) {
  return fetch(url, {
    ...options,
    headers: {
      Authorization: getAppInstance(),
      ...options.headers,
    },
  });
}
```

This function sends the app instance string in the authorization header when making requests to the backend.

## Step 3 | Validate the app instance

When a request is made to your app’s backend, you should authenticate it before continuing to process it. To do this, you need your app's secret key. You can get your app's secret key from the **OAuth** page in your app's dashboard in the [Wix Developers Center](fallback::https://dev.wix.com/apps).

> **Important:** Store your app secret securely on your server!

The app instance string has 2 parts — signature and data. To authenticate a request, extract the signature from the app instance string sent in the request and verify it was signed with your app's secret key.

For parsing examples in a number of programming languages, see [Parse Encoded App Instance Data](fallback::https://dev.wix.com/docs/build-apps/develop-your-app/access/app-instances/parse-encoded-app-instance-data#parse-encoded-app-instance-data).

Here is an example of how to parse the instance in TypeScript:

```ts
import { createHmac } from 'crypto';

export function parseInstance(
  instance: string,
  appSecret: string
): {
  instanceId: string;
  appDefId: string;
  signDate: string;
  uid: string;
  permissions: 'OWNER';
  demoMode: boolean;
  siteOwnerId: string;
  siteMemberId: string;
  expirationDate: string;
  loginAccountId: string;
  pai: null;
  lpai: null;
} | null {
  var parts = instance.split('.'),
    hash = parts[0],
    payload = parts[1];

  if (!payload) {
    return null;
  }

  if (!validateInstance(hash, payload, appSecret)) {
    return null;
  }

  return JSON.parse(base64Decode(payload, 'utf8'));
}

function validateInstance(hash: string, payload: string, secret: string) {
  if (!hash) {
    return false;
  }

  hash = base64Decode(hash);

  var signedHash = createHmac('sha256', secret)
    .update(payload)
    .digest('base64');

  return hash === signedHash;
}

function base64Decode(input: string, encoding: 'base64' | 'utf8' = 'base64') {
  return Buffer.from(
    input.replace(/-/g, '+').replace(/_/g, '/'),
    'base64'
  ).toString(encoding);
}
```