In workflows that use mostly site visitor, site member, or Wix user authentication, you may occasionally need to make calls with elevated permissions. You can use the JavaScript SDK to provide specific calls with Wix app authentication.
The process involves 2 steps:
You can make calls from your frontend code to your app's backend using either web method extensions or API extensions. We recommend using web method extensions in this situation as they offer several advantages over API extensions.
Important: Exposed elevated function calls create a security risk for privilege escalation attacks. Make sure to protect your exposed function calls with the appropriate logic.
To elevate permissions for calls to Wix APIs using a web method extension:
Set up your app's backend to handle requests for elevated function calls from your frontend.
To set up your backend:
Create a web method extension to to define a function in your app's backend that you can call from your frontend code.
In the extension's web.ts
file in your CLI project, import the auth
submodule from @wix/essentials
as well as the module containing the function that you want to make elevated calls to.
Define a web method that calls the function you need, using the permissions parameter to define the required permissions.
Wrap the function with auth.elevate()
before calling it.
To call the web method, import it from the extension's web.ts
file, then call it in your code.
This call is authenticated automatically.
To elevate permissions for calls to Wix APIs using an API extension:
Set up your app's backend to handle requests for elevated function calls from your frontend.
To set up your backend:
api.ts
file in your CLI project, import the auth
submodule from @wix/essentials
as well as the module containing the function that you want to make elevated calls to.
auth.elevate()
before calling it.
Send authenticated requests from your site's frontend code to your backend endpoint.
To send requests:
httpClient
submodule from the @wix/essentials
package.fetchWithAuth
. This function automatically signs API calls with an authorization header that identifies the current site visitor, site member, or Wix user.
fetchWithAuth()
.