Introduction

Use the Authentication API to register and login members to a Wix Headless site or app.

To learn more about the registration and login process, see Handler Members with Custom Login.

Was this helpful?
Yes
No

Retrieve Tokens

Developer Preview - This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.

Retrieves access and refresh tokens that a Wix OAuth app can use to make API calls on behalf of a site visitor.

This endpoint accepts requests with both application/json and application/x-www-form-urlencoded content types. The parameter names are the same for both content types.

The endpoint supports several grantType flows for obtaining tokens. Each flow has its own set of required fields. Here are the supported flows with their required fields:

Grant TypeDescriptionRequired Fields
authorization_codeUsed to obtain access and refresh tokens for an authenticated visitor after obtaining an authorization code.redirectUri
code
codeVerifier
refresh_tokenUsed to obtain an access token using a refresh token after the previous one expires.refreshToken
anonymousUsed to obtain access and refresh tokens for an unauthenticated site visitor.N/A

Syntax

Copy Code
POST https://www.wixapis.com/oauth2/token

Body Params

NameTypeDescription
clientIdstringRequired: ID of the Wix OAuth app requesting authorization.
grantTypestringType of request flow.
Supported values:
- authorization_code
- refresh_token
- urn:ietf:params:oauth:grant-type:device_code
- anonymous
refreshTokenstringRefresh token. Required when using the refresh_token grant type.
redirectUristringRedirect URI that passed to the redirect API when requesting an authorization code. Used to verify that the authentication and token requests are from the same source. Required when using the authorization_code grant type.
codestringAuthorization code. Retrieved using the redirect API. Required when using the authorization_code grant type.
codeVerifierstringCode for PKCE verification. This is the encrypted version of the codeChallenge that was sent using the redirect API. Required when using the authorization_code grant type.

Response Object

Success Response

If a request succeeds, the server returns an HTTP 200 status code with an application/json content type. The response body is a JSON object with the following fields:

NameTypeDescription
access_tokenstringAccess token.
expires_inintegerNumber of seconds until the token expires.
token_typestringToken type. Only Bearer is supported.
refresh_tokenstringRefresh token.

Error Responses

There are two types of error responses:

Invalid redirect URI

If the request includes an invalid redirectUri parameter, the server returns an HTTP 302 status code and redirects the request back to the client. The redirect URL contains a fragment with an error key and one of the following values:

Error MessageDescription
invalid_requestThe request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
unauthorized_clientThe client is not authorized to request an access token using this method.
access_deniedThe request was denied.
server_errorThe authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.)
temporarily_unavailableThe authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.)

Other invalid requests

If the request is invalid for any other reason, the server returns an HTTP 400 status code with an application/json content type. The response body is a JSON object with an error key and one of the following values:

Error MessageDescription
invalid_requestThe request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.
invalid_clientClient authentication failed.
invalid_grantThe provided authorization code or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client.
unauthorized_clientThe authenticated client is not authorized to use this authorization grant type.
unsupported_grant_typeThe authorization grant type is not supported by the authorization server.

Examples

Retrieve a visitor access token

All examples use the application/json content type.

Request:

Copy Code
curl --location 'https://www.wixapis.com/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
"clientId": "e345f72c-a4ef-46b6-8b0f-f6b2cd66b78b",
"grantType": "anonymous"
}'

Response

Copy Code
{
"access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",
"token_type": "Bearer",
"expires_in": 14400,
"refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."
}

Refresh an access token

Request:

Copy Code
curl --location 'https://www.wixapis.com/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
"refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs...",
"grantType": "refresh_token"
}'

Response

Copy Code
{
"access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",
"token_type": "Bearer",
"expires_in": 14400,
"refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."
}

Retrieve an access token for an authenticated visitor

Request:

Copy Code
curl --location 'https://www.wixapis.com/oauth2/token' \
--header 'Content-Type: application/json' \
--data '{
"clientId": "e345f72c-a4ef-46b6-8b0f-f6b2cd66b78b",
"grantType": "authorization_code",
"redirectUri": "https://wix-events-nextjs.vercel.app/callback",
"code": "OLI66BELkX"
}'

Response

Copy Code
{
"access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",
"token_type": "Bearer",
"expires_in": 14400,
"refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."
}
Was this helpful?
Yes
No

PostRegister V 2

Developer Preview - This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.

Registers a new member.

Typically, after a sucessful registration, you generate and use member tokens for the registered member so that subsequent API calls are called as part of a member session.

If the email used to register the member already exists as a contact email, the registering member need to verify the email address using a code that is sent to the address.

Syntax

POST
https://www.wixapis.com/_api/iam/authentication/v2/register

Was this helpful?
Yes
No

PostLogin V 2

Developer Preview - This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.

Logs in an existing user.

Typically, after a sucessful login, you generate and use member tokens for the logged-in member so that subsequent API calls are called as part of a member session.

Syntax

POST
https://www.wixapis.com/_api/iam/authentication/v2/login

Was this helpful?
Yes
No