Go Headless

Build Apps

Client

API Preview

Develop Websites

REST

Velo

GraphQL (Alpha)

# Handle Visitors

> **Share your feedback**<br/>
> [Reach out to us](fallback::https://www.wix.com/support-chatbot?nodeId=407241cc-92c5-42e8-b466-a74e2889df9a&referral=headless) with feedback and suggestions to improve the Wix Headless experience, and join the [Headless channel](fallback::https://discord.gg/MK5VZ9Nu) of the Devs on Wix Discord community to discuss features and connect with our growing community of developers.

In order to handle site visitor sessions you need to generate, manage, and use visitor tokens. Use these tokens when making requests to Wix APIs on behalf of a visitor to maintain the visitor's session.

## Prerequisites

- [Create a project](resourceId::672efad8-7bc6-42bc-a408-8c0f1132ec1d*fallback::https://github.com/wix-private/developer-docs/blob/0dc7f81128353c5dc894da1c43d7f3972bb764f2/headless-docs/setup/create-a-project.md)
- [Create an OAuth app for visitors and members](resourceId::347fe694-293a-427d-a786-8013f8c271a2*fallback::https://github.com/wix-private/developer-docs/blob/0dc7f81128353c5dc894da1c43d7f3972bb764f2/headless-docs/setup/create-an-oauth-app.md)

## Generate new visitor tokens

Generate new visitor tokens using the `Token` endpoint.

When calling the `Token` endpoint, send the following parameters:

- **`clientId`**: The client ID of the [OAuth app](resourceId::347fe694-293a-427d-a786-8013f8c271a2*fallback::https://github.com/wix-private/developer-docs/blob/0dc7f81128353c5dc894da1c43d7f3972bb764f2/headless-docs/setup/create-an-oauth-app.md) your project is using.
- **`grantType`**: Set as `"anonymous"` to get visitor tokens.

```shell
curl --location 'https://www.wixapis.com/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
  "clientId": "<CLIENT_ID>",
  "grantType": "anonymous"
}'
```

> **Note**: You can also get tokens using URL-encoded data instead of JSON data.
>
> ```shell
> curl --location 'https://www.wixapis.com/oauth2/token' \
> --header 'Content-Type: application/x-www-form-urlencoded' \
> --data-urlencode 'client_id=<CLIENT_ID>' \
> --data-urlencode 'grant_type=anonymous'
> ```

The `Token` endpoint responds with:

- **`access_token`**: An access token used to authorize API calls.
- **`expires_in`**: The number of seconds before the access token expires. Access tokens expire after 4 hours (14,400 seconds).
- **`refresh_token`**: A refresh token used to get a new access token.

```json
{
  "access_token": "OauthNG.JWS.eyJraWQiOiJZSEJzdUpwSCIsImFsZyI6IkhTMjU2In0...",
  "token_type": "Bearer",
  "expires_in": 14400,
  "refresh_token": "JWS.eyJraWQiOiJZSEJzdUpwSCIsImFsZyI6IkhTMjU2In0..."
}
```

Once you have tokens, you can use them to make [authenticated calls to APIs](resourceId::7602d5d2-4bcf-4bad-9262-c43d49bc9702*fallback::https://github.com/wix-private/developer-docs/blob/0dc7f81128353c5dc894da1c43d7f3972bb764f2/headless-docs/coding/rest/make-api-calls-oauth.md) on behalf of the current visitor.

## Store tokens for later

If you want to be able to restore the current session at some point later, store your visitor tokens locally, for example in [`localStorage`](fallback::https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage), a [cookie](fallback::https://developer.mozilla.org/en-US/docs/Web/API/Document/cookie), or a local file.

For example, after generating a visitor token, you can store it in a cookie with a max age of 4 hours. Then, before making API calls, try reading the token from the cookie.

- If the cookie still exists, you can use the access token you stored in the cookie to make the API call.
- If the cookie no longer exists, you can use your refresh token to [renew your visitor tokens](fallback::#renew-visitor-tokens), and then make the API call with the new access token.

## Renew visitor tokens

To renew visitor tokens, call the `Token` endpoint again, this time with the following parameters:

- **`refresh_token`**: The refresh token returned from the previous call to the `Token` endpoint.
- **`grantType`**: Set as `"refresh_token"` to get renewed visitor tokens based off your current refresh token.

```shell
curl --location 'https://www.wixapis.com/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
    "refresh_token": "<REFRESH_TOKEN>",
    "grantType": "refresh_token"
}'
```

The `Token` endpoint responds with:

- **`access_token`**: An access token used to authorize API calls.
- **`expires_in`**: The number of seconds before the access token expires. Access tokens expire after 4 hours (14,400 seconds).
- **`refresh_token`**: A refresh token used to get a new access token.

```json
{
  "access_token": "OauthNG.JWS.eyJraWQiOiJZSEJzdUpwSCIsImFsZyI6IkhTMjU2In0...",
  "token_type": "Bearer",
  "expires_in": 14400,
  "refresh_token": "JWS.eyJraWQiOiJZSEJzdUpwSCIsImFsZyI6IkhTMjU2In0..."
}
```