About Admin Operations

Admin operations are backend API calls that require elevated permissions to access or modify a headless project's business data.

When to use admin operations

Use admin operations to perform actions that affect data beyond the current visitor's session. For example, you can:

  • Create, approve, or delete site members.
  • Add products to your store or update inventory.
  • Update order status, issue refunds, or fulfill orders.
  • Confirm, cancel, or reschedule bookings.
  • Query all orders, members, or bookings across your project.

The recommended way to perform admin operations for all headless projects is to elevate your API calls using the Wix OAuth flow. You exchange your OAuth app's client ID and client secret for a short-lived access token, then use that token to authorize your admin API calls.

Generate a client secret

The client secret authenticates your backend code as the app itself, granting it the administrative access needed for admin operations. Unlike the client ID used for visitor and member authentication, the client secret is required only for this elevated flow.

To generate a client secret:

  1. In your project dashboard, go to Settings > Development & integrations > Headless Settings.
  2. Next to the relevant headless client, click the more actions menu to open that client's settings.
  3. In the Client info section, under Client secret, click Generate Client Secret.
  4. Copy the client secret and store it securely.

Important: You can only view the client secret once, immediately after you generate it. If you lose it, generate a new one. Store your client secret securely and only use it in backend code.

Get an access token

With your OAuth app's client ID and secret, call the Create Access Token endpoint using the client_credentials grant type:

  • client_id: Your OAuth app ID.
  • client_secret: Your OAuth app secret.
  • grant_type: client_credentials.

For example:

Copy

The response contains a short-lived access token:

Copy

Pass the access token in the Authorization header of your admin API calls:

Copy

Elevation with @wix/essentials (Wix Astro projects)

If your project uses the Wix Astro Integration, you don't need to manage credentials or tokens yourself. Authentication and elevation are handled using the @wix/essentials package.

To perform an admin operation from your backend code, wrap a restricted SDK method with auth.elevate() and call the elevated version. The elevated method runs with the permissions it requires.

Warning: Elevation lets your code call methods it typically can't access. Use it intentionally and only in backend code. Pay special attention when using elevate() in backend code that can be triggered from the frontend or exposed as an API to outside callers.

API key (self-managed projects)

If you're building a self-managed headless project you can choose to authenticate with an API key. API keys grant a custom set of permissions to your backend code. Unlike OAuth tokens that represent a specific visitor or member, API keys represent administrative access to your project.

To get started with API key authentication:

Important: Store your API keys securely and only use them in backend code.

See also

Last updated: 29 June 2026

Did this help?