Note: This article is relevant for self-managed headless projects, and for Wix-managed headless projects built with a framework other than Astro. If you build with Wix's Astro integration, the CLI generates and manages visitor tokens for you automatically.
Use visitor tokens to maintain anonymous visitor sessions in your self-managed headless project. The SDK uses these tokens when making requests to Wix APIs on behalf of a visitor, preserving their data such as cart items or event reservations.
Tip: For Wix-managed headless projects, you can also find your client ID locally as the appId in your project's wix.config.json file.
Note: Visitor and member authentication requires only a client ID, not a client secret. You need a client secret only to perform admin operations using the OAuth client_credentials flow.
Call generateVisitorTokens() and store tokens to persist the session.
generateVisitorTokens() initially lets you persist tokens if the app reloads before making your first API call.To persist a visitor's session across page reloads or app restarts, save the tokens to local storage, a cookie, or a file.
Retrieve the active tokens with getTokens().
The method returns an object in this format:
Save the tokens to your preferred storage:
Call Wix API methods using your client.
Note: If you create the client without tokens or skip Step 2, the client generates tokens automatically on your first API call. Make sure to retrieve and save the tokens as described in Step 3.
The following example shows the complete visitor session flow, from creating a client to making API calls:
In most cases, the client manages tokens automatically. Use these methods when you need manual control.
If you already have a client instance and need to set tokens on it later, use setTokens():
Once tokens are set, the visitor's data is preserved. For example, items added to a cart or tickets reserved are reflected in future API calls.
Call generateVisitorTokens() to create tokens before making any API calls:
Pass existing tokens to generateVisitorTokens() to confirm they're valid or renew them if expired:
The method returns:
Use renewToken() to generate a new access token without checking if the current one is valid:
Use loggedIn() to check if the current visitor is a logged-in member:
Last updated: 2 July 2026