Wix Headless API calls require authentication to ensure secure access to your headless project's data. Depending on your use case, you can authenticate as a visitor, member, or admin, each with different permissions and capabilities. This article provides an overview of the available identities, the authentication methods you can use, and the login options that enable secure access for your users.
When you call a Wix API from your headless project, it's called by a specific identity. The API call's authentication strategy defines which identity makes the call.
Wix restricts some methods based on which identities can call them. Authorization notes in the API reference indicate when an identity restricts a method.
A headless project can use the following identities:
Visitors are anonymous visitors to your headless site or app. Methods that site visitors can call typically involve operations specific to their own experience on the site, such as:
Members are visitors who are logged in to your headless site or app. They can call the same methods available to site visitors, plus additional methods that only apply to their site membership.
An admin has administrative access to perform site-wide operations. Admins can call methods with stricter authorization requirements. Examples of administrative methods are:
Use this strategy for API calls by anonymous visitors or logged-in members. Operations that access or manage information relating to a current site visitor, such as adding items to the current visitor's cart, require OAuth. With OAuth, your site or app can recognize individual visitors and members using tokens to access their data.
You need to handle visitor and member authentication differently in Wix-managed and self-managed headless projects.
In Wix-managed headless, the CLI handles visitor and member authentication automatically. You don't need to do anything to set it up.
In the background of your project, the CLI creates a Wix client, manages tokens, and uses them to handle authentication when you call the Wix SDK.
Note: If you want to implement member login in a Wix-managed headless project, you need to use a Wix login page.
In self-managed headless, you handle visitor and member authentication manually. There are different ways to implement visitor and member authentication when using the JavaScript SDK versus the REST API.
Note: OAuth for Wix Headless only requires a client ID. It doesn't require a client secret.
Use this strategy for API calls that require administrative access to a Wix site or project's data.
With a Wix API key, you can grant a custom set of permissions to a site or app for accessing or managing business data, including members, orders, products, events, bookings, and more.
Administrative operations at the site or account level, such as creating or deleting members, adding products to your store, or managing orders for a site visitor, require an API key.
In contrast to visitor and member authentication, you may want to use an API key in both Wix-managed and self-managed headless projects.
Learn how to work with API keys using the JavaScript SDK or the REST API.
Note: You can also use this strategy to perform non-admin tasks as long as you are doing so in a secure environment where your API key won't be exposed.