Authorization Strategies

If you use the Wix JavaScript SDK to work with a Wix Headless project, to build a Self-hosted Wix app, as a Channel partner, or as an Enterprise partner, you need to consider how you authorize your API calls.

Considerations

There are a number of different authorization strategies you can use. The correct strategy depends on:

  • The identities required by the APIs you need to call.
  • The context in which you are making API calls.

Identities

Each API has a specific set of identities that can be used when calling it.

The identity types are:

  • Visitor
  • Member
  • User
  • API Key (Admin)
  • Wix App

For more information about identities, see About Identities

Context

There are several contexts in which you could be making API calls with the SDK:

  • Headless site or app
  • Channel or Enterprise partner
  • Wix App
  • Wix App dashboard page

Strategies

Once you've identified the necessary identities for your API calls and determined the context in which these calls will occur, refer to the table below to choose an appropriate authorization strategy.

ContextIdentityStrategy
HeadlessVisitors, MembersOAuth
HeadlessAdminAPI Key
Channel or EnterpriseAdminAPI Key
Wix AppApp, UsersOauth
Wix App dashboard pageUsersDashboard SDK Auth

Headless visitors and members with OAuth

When developing functionality for use by anonymous visitors or logged-in members in a Headless site or app, use this OAuth strategy.

With this strategy, your site or app can recognize individual visitors and members and access their data, such as the items they've added to the cart.

To learn how to implement this strategy, see Create a client with OAuth in the Headless documentation.

Admin access with API Key

When developing functionality that requires administrative access at the account level and/or for a custom/private app, use an API Key strategy. You can also use this strategy when developing functionality that doesn't require administrative access, but only in a secure environment to prevent your API Key from being leaked.

This strategy is recommended for Channel partners, Enterprise partners and headless admins that don't require taking actions on behalf of an app, Wix users, site members or visitors.

With this strategy, you can perform administrative operations at the site or account level, such as create or delete team members, invite site collaborators, manage orders for any site visitor, or create a product.

When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including accounts, members, orders, products, events, bookings, and more.

To learn how to implement this strategy for a headless project, see Create a Client with an API Key.

To learn how to implement this strategy as a Channel or Enterprise admin, see the ApiKeyStrategy in About the Wix Client.

To learn how to create an API key, see Generating an API Key.

Wix Apps with access token

When developing app functionality that requires taking actions as the app, as Wix users (when using elevation), or site visitors or site members (when passing an access token from the frontend), you should use an OAuth access token strategy.

With this strategy, you can perform all site-level operations.

To learn how to implement this strategy, see Build Your App: OAuth.

App dashboard pages with Dashboard SDK auth strategy

When developing functionality that requires taking actions on behalf of Wix users in a Wix App dashboard page, you can use the Dashboard SDK Auth strategy.

To learn how to implement this strategy, see Working with Wix APIs.

Site and Account IDs

When using an API Key authentication strategy you need to provide either a siteId, your accountId, or both.

Site ID

The site ID for the project or site you are working with. You can extract this from the URL in your browser when accessing the project or site dashboard. The site ID appears after /dashboard/ in the URL.

Account ID

Your Wix account ID. You can retrieve this from the API Keys page in your account settings.

Note that some API calls, specifically all the APIs under the Account Level Modules category, are only accessible using an API key.

Did this help?