With Wix Headless, you can authenticate members on a site or app using Wix as your identity provider. This allows members to securely sign in and access content or features that are specific to their account, such as their profile, saved items, order history, or other private information.
Wix-managed login uses the OAuth 2.0 protocol with PKCE (Proof Key for Code Exchange) for secure authentication. If you're new to these concepts, see OAuth 2.0 and PKCE explained.
This article explains how to implement Wix-managed member login using the JavaScript SDK.
You'll learn how to:
Note: Wix-managed login is the simplest way to set up member authentication, as Wix handles the user experience and authentication process. However, you can't change the look and feel of the Wix login page. If you need a custom-branded login experience, create a custom login page or use an external identity provider.
When using Wix-managed login, you're responsible for writing the code to start the login and handle the response. Wix handles the login UI and authentication.
The login flow looks like this:
To authenticate and interact with Wix APIs, create a Wix client in your code:
Replace <YOUR_CLIENT_ID>
with your OAuth app's Client ID from your Headless Settings.
Use your Wix client to generate the data needed for the OAuth flow.
The method takes the following 2 parameters:
The method returns an object with the following properties, used for OAuth 2.0 with PKCE (Proof Key for Code Exchange) security:
codeVerifier
for PKCE.Example:
Store the OAuth data securely for use after login. For example, use localStorage
or a cookie:
To redirect members to the Wix login:
Request the login URL from your Wix client:
Important: For this request to succeed, you must publish the Wix site connected to your Headless project. Wix uses the published site to display the login page. To do this, open your project dashboard, select Design Site from the left panel, and then click Publish.
Redirect the member to the Wix login page:
This redirects site members to the Wix-managed login page, where Wix handles the login process.
Once members log in, Wix redirects them back to your site or app along with information you can use to confirm the login and generate member tokens for frontend API calls.
If the login was successful, the callback URL contains a fragment that includes code=
and state=
. If the login failed, the URL contains a fragment that includes error=
and error_description=
.
In your callback handler:
Retrieve the stored OAuth data:
Parse the callback URL:
Exchange the code for tokens:
The returned tokens object includes:
Set the tokens on your Wix client to authenticate API calls as the logged-in member:
Access tokens expire after a short time for security reasons. When this happens, you can use a refresh token to request a new access token without asking the member to log in again.
Your API layer should handle this automatically. Set up your logic to detect when an access token has expired, use the refresh token to get a new one, and then retry the original request.
Tip: Don't expose refresh tokens to the browser. For best security, handle token refresh on the server.
To log a member out:
Get the logout URL from your Wix client:
Redirect the member to the logout URL:
This logs the member out and redirects them back to your app.
If you encounter issues with Wix-managed login, make sure that:
redirectUri
parameter passed to generateOAuthData()
is listed in your allowed authorization redirect URIs, and that the values match exactly.