Introduction
Use the Authentication API to register and login members to a Wix Headless site or app.
To learn more about the registration and login process, see Handler Members with Custom Login.
Retrieve Tokens
Developer Preview - This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.
Retrieves access and refresh tokens that a Wix OAuth app can use to make API calls on behalf of a site visitor.
This endpoint accepts requests with both application/json and application/x-www-form-urlencoded content types. The parameter names are the same for both content types.
The endpoint supports several grantType flows for obtaining tokens. Each flow has its own set of required fields.
Here are the supported flows with their required fields:
| Grant Type | Description | Required Fields |
|---|---|---|
authorization_code | Used to obtain access and refresh tokens for an authenticated visitor after obtaining an authorization code. | redirectUricodecodeVerifier |
refresh_token | Used to obtain an access token using a refresh token after the previous one expires. | refreshToken |
anonymous | Used to obtain access and refresh tokens for an unauthenticated site visitor. | N/A |
Syntax
1POST https://www.wixapis.com/oauth2/token
Body Params
| Name | Type | Description |
|---|---|---|
clientId | string | Required: ID of the Wix OAuth app requesting authorization. |
grantType | string | Type of request flow. Supported values: - authorization_code - refresh_token - urn:ietf:params:oauth:grant-type:device_code- anonymous |
refreshToken | string | Refresh token. Required when using the refresh_token grant type. |
redirectUri | string | Redirect URI that passed to the redirect API when requesting an authorization code. Used to verify that the authentication and token requests are from the same source. Required when using the authorization_code grant type. |
code | string | Authorization code. Retrieved using the redirect API. Required when using the authorization_code grant type. |
codeVerifier | string | Code for PKCE verification. This is the encrypted version of the codeChallenge that was sent using the redirect API. Required when using the authorization_code grant type. |
Response Object
Success Response
If a request succeeds, the server returns an HTTP 200 status code with an application/json content type. The response body is a JSON object with the following fields:
| Name | Type | Description |
|---|---|---|
access_token | string | Access token. |
expires_in | integer | Number of seconds until the token expires. |
token_type | string | Token type. Only Bearer is supported. |
refresh_token | string | Refresh token. |
Error Responses
There are two types of error responses:
Invalid redirect URI
If the request includes an invalid redirectUri parameter, the server returns an HTTP 302 status code and redirects the request back to the client. The redirect URL contains a fragment with an error key and one of the following values:
| Error Message | Description |
|---|---|
invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
unauthorized_client | The client is not authorized to request an access token using this method. |
access_denied | The request was denied. |
server_error | The authorization server encountered an unexpected condition that prevented it from fulfilling the request. (This error code is needed because a 500 Internal Server Error HTTP status code cannot be returned to the client via an HTTP redirect.) |
temporarily_unavailable | The authorization server is currently unable to handle the request due to a temporary overloading or maintenance of the server. (This error code is needed because a 503 Service Unavailable HTTP status code cannot be returned to the client via an HTTP redirect.) |
Other invalid requests
If the request is invalid for any other reason, the server returns an HTTP 400 status code with an application/json content type. The response body is a JSON object with an error key and one of the following values:
| Error Message | Description |
|---|---|
invalid_request | The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed. |
invalid_client | Client authentication failed. |
invalid_grant | The provided authorization code or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. |
unauthorized_client | The authenticated client is not authorized to use this authorization grant type. |
unsupported_grant_type | The authorization grant type is not supported by the authorization server. |
Examples
Retrieve a visitor access token
All examples use the application/json content type.
Request:
1curl --location 'https://www.wixapis.com/oauth2/token' \2--header 'Content-Type: application/json' \3--data '{4 "clientId": "e345f72c-a4ef-46b6-8b0f-f6b2cd66b78b",5 "grantType": "anonymous"6 }'
Response
1{2 "access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",3 "token_type": "Bearer",4 "expires_in": 14400,5 "refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."6}
Refresh an access token
Request:
1curl --location 'https://www.wixapis.com/oauth2/token' \2--header 'Content-Type: application/json' \3--data '{4 "refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs...",5 "grantType": "refresh_token"6 }'
Response
1{2 "access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",3 "token_type": "Bearer",4 "expires_in": 14400,5 "refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."6}
Retrieve an access token for an authenticated visitor
Request:
1curl --location 'https://www.wixapis.com/oauth2/token' \2--header 'Content-Type: application/json' \3--data '{4 "clientId": "e345f72c-a4ef-46b6-8b0f-f6b2cd66b78b",5 "grantType": "authorization_code",6 "redirectUri": "https://wix-events-nextjs.vercel.app/callback",7 "code": "OLI66BELkX"8 }'
Response
1{2 "access_token": "OauthNG.JWS.eyJraWQiOiJZSEDI5M...",3 "token_type": "Bearer",4 "expires_in": 14400,5 "refresh_token": "AQS.eyJraWQiOiJZSEJzdUpwSCIsImFs..."6}
This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.
Registers a new member.
Typically, after a sucessful registration, you generate and use member tokens for the registered member so that subsequent API calls are called as part of a member session.
If the email used to register the member already exists as a contact email, the registering member need to verify the email address using a code that is sent to the address.
This API is subject to change. Bug fixes and new features will be released based on developer feedback throughout the preview period.
Logs in an existing user.
Typically, after a sucessful login, you generate and use member tokens for the logged-in member so that subsequent API calls are called as part of a member session.