Admin operations are backend API calls that require elevated permissions to access or modify a headless project's business data. They're useful for building dashboards, automation scripts, and backend services.
Use admin operations to perform actions that affect data beyond the current visitor's session:
The recommended way to perform admin operations for all Headless projects is to elevate your API calls using the Wix OAuth flow. In your headless project settings, generate a client secret for your OAuth app. With the OAuth app ID and secret, call the Create Access Token endpoint using the client_credentials grant type:
client_id: Your OAuth app ID.client_secret: Your OAuth app secret.grant_type: client_credentials.For example:
The response contains a short-lived access token:
Pass the access token in the Authorization header of your admin API calls:
Important: Store your client secret securely and only use it in backend code.
@wix/essentials (Wix Astro projects)If your project uses the Wix Astro Integration, you don't need to manage credentials or tokens yourself. Authentication and elevation are handlded using the @wix/essentials package.
To perform an admin operation from your backend code, wrap a restricted SDK method with auth.elevate() and call the elevated version. The elevated method runs with the permissions it requires.
Warning: Elevation lets your code call methods it typically can't access. Use it intentionally and only in backend code. Pay special attention when using elevate() in backend code that can be triggered from the frontend or exposed as an API to outside callers.
If you're building a self-managed headless project you can choose to authenticate with an API key. API keys grant a custom set of permissions to your backend code. Unlike OAuth tokens that represent a specific visitor or member, API keys represent administrative access to your project.
To get started with API key authentication:
Important: Store your API keys securely and only use them in backend code.
Last updated: 28 June 2026