About the OAuth 2 API

The OAuth 2 API allows your app to manage tokens that you can use to authenticate Wix API calls. By default, OAuth authentication follows the OAuth Client Credentials protocol. In most cases, it's sufficient that your app uses this basic OAuth. Wix also offers advanced OAuth settings in case you need to identify your customers along the installation process, or if you need to redirect them at the end of the process before they see your app's dashboard.

With the OAuth 2 API, you can:

Learn more about:

Before you begin

It's important to note the following points before starting to code:

  • If your app uses advanced OAuth, Wix sends you an authorization code while redirecting new users to your app URL. You must use this authorization code within 10 minutes to create a refresh token by calling Request an access token. If the process fails, you're unable to retrieve access tokens with Refresh an Access Token. Though from the site owner's point-of-view, it seems that the app installation has succeeded. You have 2 options in this situation: Ask the site owners to re-install your app, or fall back to retrieving access tokens with the basic OAuth strategy by calling Create Access Token.
  • If your app uses basic OAuth to authenticate Wix API calls, you must create access tokens by calling Create Access Token.

Use cases

Terminology

  • OAuth: Authorization framework used by Wix that enables 3rd-party apps to obtain limited access to Wix APIs. In Wix, OAuth is sometimes also called basic OAuth to differentiate it from advanced OAuth.
  • Advanced OAuth: Advanced version of the OAuth protocol that's used by Wix. Wix recommends that your app uses advanced OAuth only if you need to redirect your users to a URL that's outside the Wix ecosystem during the app installation flow.
  • Authorization code: String that Wix sends to your app during the advanced OAuth flow, after a new user has finished the installation process and granted your app the requested permissions. It has an expiration time of 10 minutes. You must create your app's refresh token before the authorization code expires.
  • Refresh token: String that your app can use to generate access tokens in the advanced OAuth flow. It never expires. Store the refresh token in a secure location. Don't share it with anyone or make it public in any way.
  • Access token: String that you can use in the authorization header to make Wix API calls. All Wix OAuth access tokens are of type "Bearer". Learn more about access token types.
Did this help?