If you use the Wix JavaScript SDK to work with a Wix Headless project, to build a Self-hosted Wix app, as a Channel partner, or as an Enterprise partner, you need to consider how you authorize your API calls.
There are a number of different authorization strategies you can use. The correct strategy depends on:
Each API has a specific set of identities that can be used when calling it.
The identity types are:
For more information about identities, see About Identities.
There are several contexts in which you could be making API calls with the SDK:
Once you've identified the necessary identities for your API calls and determined the context in which these calls will occur, refer to the table below to choose an appropriate authorization strategy.
| Context | Identity | Strategy |
|---|---|---|
| Headless | Visitors, Members | OAuth |
| Headless | Admin | API Key |
| Channel or Enterprise | Admin | API Key |
| Wix App | App, Users | Oauth |
| Wix App dashboard page | Users | Dashboard SDK Auth |
When developing functionality for use by anonymous visitors or logged-in members in a Headless site or app, use this OAuth strategy.
With this strategy, your site or app can recognize individual visitors and members and access their data, such as the items they've added to the cart.
To learn how to implement this strategy, see Create a client with OAuth in the Headless documentation.
When developing functionality that requires administrative access at the account level and/or for a custom/private app, use an API Key strategy. You can also use this strategy when developing functionality that doesn't require administrative access, but only in a secure environment to prevent your API Key from being leaked.
This strategy is recommended for Channel partners, Enterprise partners and headless admins that don't require taking actions on behalf of an app, Wix users, site members or visitors.
With this strategy, you can perform administrative operations at the site or account level, such as create or delete team members, invite site collaborators, manage orders for any site visitor, or create a product.
When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including accounts, members, orders, products, events, bookings, and more.
To learn how to implement this strategy for a headless project, see Create a Client with an API Key.
To learn how to implement this strategy as a Channel or Enterprise admin, see the ApiKeyStrategy in About the Wix Client.
To learn how to create an API key, see Generating an API Key.
When developing app functionality that requires taking actions as the app, as Wix users (when using elevation), or site visitors or site members (when passing an access token from the frontend), you should use an OAuth access token strategy.
With this strategy, you can perform all site-level operations.
To learn how to implement this strategy, see Build Your App: OAuth.
When developing functionality that requires taking actions on behalf of Wix users in a Wix App dashboard page, you can use the Dashboard SDK Auth strategy.
To learn how to implement this strategy, see Working with Wix APIs.
When using an API Key authentication strategy you need to provide either a siteId, your accountId, or both.
The site ID for the project or site you are working with. You can extract this from the URL in your browser when accessing the project or site dashboard. The site ID appears after /dashboard/ in the URL.
Your Wix account ID. You can retrieve this from the API Keys page in your account settings.
Note that some API calls, specifically all the APIs under the Account Level Modules category, are only accessible using an API key.