Elevate API Call Permissions with the CLI

In workflows that use mostly site visitor, site member, or Wix user authentication, you may occasionally need to make calls with elevated permissions. You can use the JavaScript SDK to provide specific calls with Wix app authentication.

The process involves two steps:

  1. Setting up your app's backend code to handle elevated requests.
  2. Sending an authenticated call from your frontend code to your app's backend. Frontend code includes site extension and dashboard extension code.

Important: Exposed elevated function calls create a security risk for privilege escalation attacks. Make sure to protect your exposed function calls with the appropriate logic.

To elevate permissions for API calls:

Step 1 | Set up your app's backend

The first step is to set up your app's backend to handle requests for elevated function calls from your frontend.

To set up your backend:

  1. Create an API extension to allow your app to expose backend HTTP functions.
  2. In the api.ts file in your CLI project, import the auth submodule from @wix/essentials as well as the module containing the function that you want to make elevated calls to.
    Copy
  3. Expose an endpoint that calls the function you need. Wrap the function with auth.elevate() before calling it.
    Copy

Step 2 | Send authenticated requests from your frontend

Next, send authenticated requests from your site's frontend code to your backend endpoint.

To send requests:

  1. Import the httpClient submodule from the @wix/essentials package.
    This submodule includes a function called fetchWithAuth. This function automatically signs API calls with an authorization header that identifies the current site visitor, site member, or Wix user.
    Copy
  2. Call your app's backend HTTP function using fetchWithAuth().
    The base URL for your endpoint is provided automatically by the CLI. Note that the path for your endpoint is based on the name of its containing folder in the CLI.
    Copy

See also

Did this help?