Some SDK methods require elevated permissions to access sensitive data or perform privileged operations. For example, retrieving site properties or accessing business data often requires app-level authorization that site visitors, site members, and Wix users don't have. Without elevation, these calls return a 403 Forbidden error.
Note: To determine whether a method requires elevation, check that method's reference documentation.
To elevate API call permissions:
Important: Exposed elevated API calls can create a security risk for privilege escalation attacks. Protect your exposed API calls with logic that validates who can call them and what operations they can perform.
Set up your backend to handle requests for elevated API calls from your frontend.
To set up your backend:
Create an HTTP endpoint. Do only Step 1 | Create the endpoint file from the linked article.
In the file that defines your endpoint, import APIRoute from astro, the auth submodule from @wix/essentials, and the module containing the method you want to call with elevated permissions.
Expose an endpoint that calls the API method you need. Wrap the method with auth.elevate() before calling it.
Call your backend endpoint from your frontend code.
To call the endpoint:
Import httpClient from @wix/essentials.
Retrieve the base URL from import.meta.url.
Call the endpoint using httpClient.fetchWithAuth() with this path: ${baseApiUrl}/api/<your-endpoint-name>.
These examples show how to elevate Get Site Properties.