Authorization Strategies
Whether you use the Wix REST API to work with a Wix Headless project or to build a Wix App, you need to consider how you authorize your API calls.
Considerations
There are a number of different authorization strategies you can use. The correct strategy depends on:
- The access types required by the APIs you need to call.
- The context in which you are making API calls.
Access Types
Each API has a specific set of access types that can be used when calling it.
The access types are:
- Visitor
- Member
- API Key
- Wix App
For more information about access types, see Access Types and Permissions
Context
There are several contexts in which you could be making API calls with the REST API:
- Headless site or app
- Wix App
- Wix App dashboard page
Strategies
After understanding which access types are required for making the calls you need and knowing in which context you will be making those calls, choose one of the following authorization strategies.
- Headless Visitors and Members with OAuth
- Headless Admin with API Key
- Wix Apps with access token
- Wix Apps with API Key
Headless Visitors and Members with OAuth
When developing functionality for use by anonymous visitors or logged-in members in a Headless site or app, use this OAuth strategy.
With this strategy, your site or app can recognize individual visitors and members and access their data, such as the items they've added to the cart.
To learn how to implement this strategy, see Make API Calls with OAuth in the Headless documentation.
Headless Admin with API Key
When developing functionality that requires administrative access in a Headless project or a Wix App, use an API Key strategy. You can also use this strategy when developing functionality that doesn't require administrative access, but only in a secure environment to prevent your API Key from being leaked.
With this strategy, you can perform administrative operations at the site or account level, such as create or delete members, manage orders for any site visitor, or create a product.
When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including members, orders, products, events, bookings, and more.
To learn how to implement this strategy, see Make API Calls with an API Key.
Wix Apps with Access Token
When developing functionality that doesn't require account-level access in a Wix App, you can use an OAuth access token strategy.
With this strategy, you can perform all operations except for account-level ones.
Wix Apps with API Key
When developing functionality that requires account-level access in a Wix App, you can use an API Key strategy. API Keys should only be used in a secure environment to prevent your API Key from being leaked.
With this strategy, you can perform all operations, including account-level ones.
When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including members, orders, products, events, bookings, and more.