Admin operations are backend API calls that require elevated permissions to access or modify a headless project's business data.
Use admin operations to perform actions that affect data beyond the current visitor's session. For example, you can:
The recommended way to perform admin operations for all headless projects is to elevate your API calls using the Wix OAuth flow. You exchange your OAuth app's client ID and client secret for a short-lived access token, then use that token to authorize your admin API calls.
The client secret authenticates your backend code as the app itself, granting it the administrative access needed for admin operations. Unlike the client ID used for visitor and member authentication, the client secret is required only for this elevated flow.
To generate a client secret:
Important: You can only view the client secret once, immediately after you generate it. If you lose it, generate a new one. Store your client secret securely and only use it in backend code.
With your OAuth app's client ID and secret, call the Create Access Token endpoint using the client_credentials grant type:
client_id: Your OAuth app ID.client_secret: Your OAuth app secret.grant_type: client_credentials.For example:
The response contains a short-lived access token:
Pass the access token in the Authorization header of your admin API calls:
@wix/essentials (Wix Astro projects)If your project uses the Wix Astro Integration, you don't need to manage credentials or tokens yourself. Authentication and elevation are handled using the @wix/essentials package.
To perform an admin operation from your backend code, wrap a restricted SDK method with auth.elevate() and call the elevated version. The elevated method runs with the permissions it requires.
Warning: Elevation lets your code call methods it typically can't access. Use it intentionally and only in backend code. Pay special attention when using elevate() in backend code that can be triggered from the frontend or exposed as an API to outside callers.
If you're building a self-managed headless project you can choose to authenticate with an API key. API keys grant a custom set of permissions to your backend code. Unlike OAuth tokens that represent a specific visitor or member, API keys represent administrative access to your project.
To get started with API key authentication:
Important: Store your API keys securely and only use them in backend code.
Last updated: 29 June 2026