Wix Headless API calls must be authenticated to ensure secure access to your site's data. Depending on your use case, you can authenticate as a visitor, member, or admin, each with different permissions and capabilities. This article provides an overview of the available identities, the authentication methods you can use, and the login options that enable secure access for your users.
When you call a Wix API from your Headless project, it's called by a specific identity. The type of identity used to make the API call depends either on the access tokens or the API key you use to authenticate the call. When using the Wix JavaScript SDK, you use the tokens or API key to create a Wix client to make API calls. When using the REST API, you provide the tokens or API key for each call you make.
Some methods are restricted based on which identities are authorized to call them. Authorization notes in the SDK and REST references indicate when a method may be restricted by identity.
A Headless project can use the following identities:
Visitors are anonymous visitors to your Headless site or app. Methods that site visitors can call typically involve operations specific to their own experience on the site, such as:
Learn how to work with visitor authentication (SDK | REST).
Members are visitors who are logged in to your Headless site or app. They can call the same methods available to site visitors, plus additional methods that only apply to their site membership.
Learn how to work with members using:
When using an API key to authenticate, you can call methods with stricter authorization requirements. Examples of administrative methods you can call when using an API key are:
Learn how to work with API keys (SDK | REST).
To work with Wix APIs in your Headless site or app, you need to be authenticated to call APIs. There are 2 authentication strategies you can implement when working with Wix APIs.
Use this strategy if you are creating a site or app that requires administrative access to a Wix site or project's data.
With a Wix API key, you can grant a custom set of permissions to a site or app for accessing or managing business data, including members, orders, products, events, bookings, and more.
Administrative operations at the site or account level, such as creating or deleting members, managing orders for any site visitor, or creating a product, require an API key.
Example: A custom dashboard app for managing a Wix site or project and its member data.
You can also use this strategy to perform non-admin tasks as long as you are doing so in a secure environment where your API key won't be exposed.
Example: Querying products or events from your site or app backend.
To get started with this authentication strategy, start by generating an API key.
Use this strategy if you are creating a site or app for use by anonymous visitors or logged-in members.
With Visitor and Member OAuth, your site or app can recognize individual visitors and members and access their data. Operations that access or manage information relating to a current site visitor, such as adding items to the current visitor's cart, require Visitor and Member OAuth.
Example: An online store that handles products, orders, and checkouts.
To get started with this authentication strategy, start by creating an OAuth app.
When using OAuth for authentication, members must log in so Wix can verify their identity before giving access to their data. This login process generates tokens that your app uses to make secure, member-specific API calls. For visitors, tokens can be generated automatically since no personal authentication is needed.
You can have your members login by:
To ensure security, each client app or site must also be authorized in advance using the project's dashboard. This is done by creating an OAuth app with an associated Client ID. A client needs this ID, along with access tokens, in order to make API calls to access data from a project.