About Authentication for Self-Managed Headless

In self-managed headless projects, you must handle authentication manually. This article explains the identities and authentication strategies you need to implement.

Note: In Wix-managed headless, if you build with Wix's Astro integration, the CLI handles visitor and member authentication automatically, so you don't configure OAuth or manage tokens yourself. With any other framework, you set up authentication as described here.

Identities

When you call a Wix API from your headless project, it's called by a specific identity.

Wix restricts some methods based on which identities can call them. Authorization notes in the API reference indicate when an identity restricts a method.

A headless project can use the following identities:

  • Visitor
  • Member
  • API key admin
  • Wix app (used by backend code for admin operations)

Visitor and member authentication

Operations that access or manage information relating to a current site visitor, such as adding items to the current visitor's cart, require OAuth. With OAuth, your site or app can recognize individual visitors and members using tokens to access their data.

  • Visitors: Wix generates tokens automatically since visitors don't need personal authentication. You also have the option to manually generate tokens. Learn how to implement visitor authentication using the JavaScript SDK or the REST API.
  • Members: Wix must verify their identity through a login process before generating member-specific tokens. Learn how to implement different member login options.

Note: Visitor and member authentication requires only a client ID, not a client secret. You need a client secret only to perform admin operations using the OAuth client_credentials flow.

Admin authentication

For API calls that require administrative access, the recommended approach is the OAuth client_credentials flow. You exchange your OAuth app's client ID and client secret for a short-lived admin access token, which runs as the Wix app identity. Your headless OAuth client is itself a private app installed on your site, so the token acts as that app.

For admin access that reaches beyond your project's own site, such as account-level operations or external integrations, use an API key instead.

Learn more about admin operations.

See also

Last updated: 14 July 2026

Did this help?