Some SDK methods require elevated permissions to access sensitive data or perform privileged operations. For example, retrieving site properties or accessing business data often requires app-level authorization that site visitors, site members, and Wix users don't have. Without elevation, these calls return a 403 Forbidden error.
Note: To determine whether a method requires elevation, check that method's reference documentation.
To elevate API call permissions:
Note: For a complete walkthrough, including an elevated endpoint call from the frontend, see Upload Images to CMS.
Important: Exposed elevated API calls can create a security risk for privilege escalation attacks. Protect your exposed API calls with logic that validates who can call them and what operations they can perform.
Set up your backend to handle requests for elevated API calls from your frontend.
To set up your backend:
Create an HTTP endpoint. Do only Step 1 | Create the endpoint file from the linked article.
In the file that defines your endpoint, import APIRoute from astro, the auth submodule from @wix/essentials, and the module containing the method you want to call with elevated permissions.
Expose an endpoint that calls the API method you need. Wrap the method with auth.elevate() before calling it.
Call your backend endpoint from your frontend code by using the standard fetch() API with this path: /api/<your-endpoint-name>.
These examples show how to elevate Get Site Properties.