With Wix Headless, you can authenticate members on a site or app using Wix as your identity provider. This allows members to securely sign in and access content or features that are specific to their account, such as their profile, saved items, order history, or other private information.
Wix-managed login uses the OAuth 2.0 protocol with PKCE (Proof Key for Code Exchange) for secure authentication. If you're new to these concepts, see OAuth 2.0 and PKCE explained.
This article explains how to implement Wix-managed member login using the REST API.
You'll learn how to:
Note: Wix-managed login is the simplest way to set up member authentication, as Wix handles the user experience and authentication process. However, you can't change the look and feel of the Wix login page. If you need a custom-branded login experience, create a custom login page.
When using Wix-managed login, you're responsible for writing the code to start the login and handle the response. Wix handles the login UI and authentication.
The login flow looks like this:
Before redirecting a member to login on a Wix-managed login page you need to prepare the following:
redirectUri
must be an allowed authorization redirect URI.Store the code verifier, code challenge, and state parameter locally. For example, you can store them in localStorage
or a cookie. You need to use this data when users are redirected back to your site or app from the Wix-managed login page.
Call Create Redirect Session to get a login URL for the site member.
Important: For this request to succeed, you must publish the Wix site connected to your Headless project. Wix uses the published site to display the login page. To do this, open your project dashboard, select Design Site from the left panel, and then click Publish.
When calling Create Redirect Session, send the following parameters, which include the data you prepared earlier:
redirectUri
: The redirect URI to your login callback. The redirectUri
must be an allowed authorization redirect URI.clientId
: The Client ID of your OAuth app, which can be found in your project's Headless Settings.codeChallenge
: PKCE code challenge string.codeChallengeMethod
: Use "S256"
.responseMode
: Use "fragment"
. The state
and code
will be returned in the URL used to reach the login callback in a URL fragment.responseType
: Use "code"
.scope
: Use "offline_access"
.state
: A state parameter.Note: In the request header, use the access token of the current visitor for authorization.
The response includes:
id
: Redirect session ID.fullUrl
: A URL to the Wix-managed login page.Redirect the site member to the login URL returned by Create Redirect Session.
This redirects site members to the Wix-managed login page, where Wix handles the login process.
Once members log in, Wix redirects them back to your site or app along with information you can use to confirm the login and generate member tokens for frontend API calls.
In your callback handler:
code=
and state=
. Parse the URL to retrieve the code
and state
values.state
value is the same as the state value you retrieved from local storage.code
to generate member tokens.Generate new member tokens by calling Retrieve Tokens.
When calling Retrieve Tokens, send the following parameters:
clientId
: The Client ID of your OAuth app, which can be found in your project's Headless Settings.grantType
: Set as "authorization_code"
to get member tokens with an authorization code.redirectUri
: The same URI passed when calling the Create Redirect Session. The redirectUri
must be an allowed authorization redirect URI.code
: The code you retrieved from the URL fragment in the previous step.codeVerifier
: The code verifier you retrieved from local storage in the previous step.The response includes:
access_token
: An access token used to authorize API calls.expires_in
: The number of seconds before the access token expires. Access tokens expire after 4 hours (14,400 seconds).refresh_token
: A refresh token used to get a new access token.Once you have tokens, you can use them to make authenticated calls to APIs on behalf of the current member.
To log a member out, call Redirect Session
to get a logout URL, and then redirect the member to that URL.
When calling Redirect Session
, send the following parameters:
clientId
: The Client ID of your OAuth app, which can be found in your project's Headless Settings.postFlowUrl
: Where the member will be redirected after logging out.The response includes:
id
: Redirect session ID.fullUrl
: A URL to the Wix-managed login page.Redirect the browser to the returned fullUrl
to log the site member out. The browser is automatically redirected back to the postFlowUrl
that you passed to Create Redirect Session.
If you encounter issues with Wix-managed login, make sure that:
redirectUri
parameter passed to Redirect Session
is listed in your allowed authorization redirect URIs, and that the values match exactly.