Wix Headless uses OAuth 2.0 for authorization and authentication of visitors and members. The OAuth protocol allows visitors or members to grant an external app or site (a "client") access to their data on a Wix project, without the them needing to provide the client with their login credentials for the Wix project itself.
The OAuth process works by Wix generating tokens which are used to identify a visitor or member when making API calls. In the case of a visitor, tokens can be generated and stored in a site or app without any action from the visitor. In the case of a member, the member needs to authenticate with Wix so Wix can generate tokens for the specific member.
You can have your members login by:
- Wix-managed login: Redirect your users to a Wix-managed login page. After authenticating, Wix redirects the member back to your site or app.
- Custom login: Use API calls to create your own custom login experience.
To ensure security, each client app or site must also be authorized in advance using the project's dashboard. This is done by creating an OAuth app with an associated Client ID. A client needs this ID, along with access tokens, in order to make API calls to access data from a project.
Note: OAuth doesn't provide access to functions that involve administrative operations at the site or account level, such as managing members or business data. For this, use Admin API Keys.
Create an OAuth app for each client that you will use interact with your project. For example, if you're creating a site and a mobile app, create two OAuth apps, one for the site and the other for the mobile app.
To create an OAuth app:
Open your project dashboard and click Settings in the left sidebar menu.
Scroll down to the Advanced section and click Headless Settings.
Click Create OAuth App to create an OAuth app for your client.
Enter a name for the OAuth app in the App name field and an optional description in the Description field, then click Create OAuth App. Choose a name that identifies the client clearly. For example: "Android Flower Shop Client App" or "Smartwatch Gym Client App". The settings page for your new OAuth app appears.
Scroll to the Client info section and copy the Client ID for the OAuth app you created. Use this ID to connect and authenticate with your Wix project from a client. You can retrieve the client ID later from the Headless Settings page.
Many external client sites redirect visitors to Wix-managed pages for processes such as authentication and checkout. Wix then returns the visitor to the external site. To protect data security, Wix only ever redirects visitors to site addresses you approve in the URLs section. Therefore, if you want your external site to redirect to Wix-managed pages, you need to provide approval for the following URLs:
Note: Return to the Headless Settings menu any time to see a list of clients authorized for your project, to retrieve a client ID, or to edit settings.