> Portal Navigation:
> 
> - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version.
> - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages).
> - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`).
> - Top-level index of all portals: https://dev.wix.com/docs/llms.txt
> - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt

## Resource: Elevate API Call Permissions

## Article: Elevate API Call Permissions

## Article Link: https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/wix-cli/project-development/elevate-api-call-permissions.md

## Article Content:

# Elevate API Call Permissions

Some SDK methods require [elevated permissions](https://dev.wix.com/docs/api-reference/articles/authentication/about-elevated-permissions?apiView=SDK.md) to access sensitive data or perform privileged operations. For example, retrieving site properties or accessing business data often requires app-level authorization that [site visitors](https://dev.wix.com/docs/api-reference/articles/authentication/about-identities?apiView=SDK.md#site-visitor), [site members](https://dev.wix.com/docs/api-reference/articles/authentication/about-identities?apiView=SDK.md#site-member), and [Wix users](https://dev.wix.com/docs/api-reference/articles/authentication/about-identities?apiView=SDK.md#wix-user) don't have. Without elevation, these calls return a 403 Forbidden error.

> **Note:** To determine whether a method requires elevation, check that method's [reference documentation](https://dev.wix.com/docs/api-reference?apiView=SDK.md).

To elevate API call permissions:

1. Set up your project's backend code to handle elevated requests.
2. Send a request from your frontend code to your project's backend.

<blockquote class="important">

**Important:** Exposed elevated API calls can create a security risk for [privilege escalation attacks](https://en.wikipedia.org/wiki/Privilege_escalation). Protect your exposed API calls with logic that validates who can call them and what operations they can perform.

</blockquote>

## Step 1 | Set up the endpoint in your project's backend

Set up your backend to handle requests for elevated API calls from your frontend.

To set up your backend:

1. Create an [HTTP endpoint](https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/wix-cli/supported-extensions/backend/http-endpoints/add-http-endpoints-to-your-project.md). Do only **Step 1 | Create the endpoint file** from the linked article.

2. In the file that defines your endpoint, import `APIRoute` from `astro`, the [`auth`](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md) submodule from `@wix/essentials`, and the module containing the method you want to call with elevated permissions.

   ```ts
   import type { APIRoute } from "astro";
   import { auth } from "@wix/essentials";
   import { <module> } from "@wix/<package>";
   ```

3. Expose an endpoint that calls the API method you need. Wrap the method with [`auth.elevate()`](https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md#elevate) before calling it.

   ```ts
   export const GET: APIRoute = async ({ request }) => {
     const elevatedFunction = auth.elevate(<module>.function);
     const response = await elevatedFunction();
     // ...
   };
   ```

## Step 2 | Call the endpoint from your frontend

Call your backend endpoint from your frontend code.

To call the endpoint:

1. Import `httpClient` from `@wix/essentials`.

   ```ts
   import { httpClient } from "@wix/essentials";
   ```

2. Retrieve the base URL from `import.meta.url`.

   ```ts
   const baseApiUrl = new URL(import.meta.url).origin;
   ```

3. Call the endpoint using `httpClient.fetchWithAuth()` with this path: `${baseApiUrl}/api/<your-endpoint-name>`.

   ```ts
   const result = await httpClient.fetchWithAuth(`${baseApiUrl}/api/<your-endpoint-name>`);
   ```

## Examples

These examples show how to elevate [Get Site Properties](https://dev.wix.com/docs/api-reference/business-management/site-properties/properties/get-site-properties?apiView=SDK.md).

### Backend code

```ts
// src/pages/api/my-api.ts
import type { APIRoute } from "astro";
import { auth } from "@wix/essentials";
import { siteProperties } from "@wix/business-tools";

export const GET: APIRoute = async ({ request }) => {
  const elevatedGetSiteProperties = auth.elevate(siteProperties.getSiteProperties);
  const retrievedSiteProperties = await elevatedGetSiteProperties();
  return new Response(JSON.stringify(retrievedSiteProperties));
};
```

### Frontend code

```tsx
// src/extensions/dashboard/pages/my-page/my-page.tsx
import { httpClient } from "@wix/essentials";

async function getSiteProperties() {
  const baseApiUrl = new URL(import.meta.url).origin;
  const result = await httpClient.fetchWithAuth(`${baseApiUrl}/api/my-api`);
  const retrievedSiteProperties = await result.json();
  console.log("Site properties:", retrievedSiteProperties.properties);
}

getSiteProperties();
```

## See also

- [About Permissions](https://dev.wix.com/docs/build-apps/develop-your-app/access/authorization/about-permissions.md)
- [About Elevated Permissions](https://dev.wix.com/docs/api-reference/articles/authentication/about-elevated-permissions?apiView=SDK.md)
- [About HTTP Endpoints](https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/wix-cli/supported-extensions/backend/http-endpoints/about-http-endpoints.md)
- [Add HTTP Endpoints to Your Project](https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/wix-cli/supported-extensions/backend/http-endpoints/add-http-endpoints-to-your-project.md)