Authorization Strategies

Whether you use the Wix JavaScript SDK to work with a Wix Headless project or to build a Wix App, you need to consider how you authorize your API calls.

Considerations

There are a number of different authorization strategies you can use. The correct strategy depends on:

  • The access types required by the APIs you need to call.
  • The context in which you are making API calls.

Access Types

Each API has a specific set of access types that can be used when calling it.

The access types are:

  • Visitor
  • Member
  • API Key
  • Wix App

For more information about access types, see Access Types and Permissions

Context

There are several contexts in which you could be making API calls with the SDK:

  • Headless site or app
  • Wix App
  • Wix App dashboard page

Strategies

After understanding which access types are required for making the calls you need and knowing in which context you will be making those calls, choose one of the following authorization strategies.

Headless visitors and members with OAuth

When developing functionality for use by anonymous visitors or logged-in members in a Headless site or app, use this OAuth strategy.

With this strategy, your site or app can recognize individual visitors and members and access their data, such as the items they've added to the cart.

To learn how to implement this strategy, see Create a client with OAuth in the Headless documentation.

Headless admin with API Key

When developing functionality that requires administrative access in a Headless project or a Wix App, use an API Key strategy. You can also use this strategy when developing functionality that doesn't require administrative access, but only in a secure environment to prevent your API Key from being leaked.

With this strategy, you can perform administrative operations at the site or account level, such as create or delete members, manage orders for any site visitor, or create a product.

When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including members, orders, products, events, bookings, and more.

To learn how to implement this strategy, see Create a Client with an API Key.

Wix Apps with access token

When developing functionality that doesn't require account-level access in Wix App, you can use an OAuth access token strategy.

With this strategy, you can perform all operations except for account-level ones.

To learn how to implement this strategy, see Build Your App: OAuth.

Wix Apps with API Key

When developing functionality that requires account-level access in a Wix App, you can use an API Key strategy. API Keys should only be used in a secure environment to prevent your API Key from being leaked.

With this strategy, you can perform all operations, including account-level ones.

When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including members, orders, products, events, bookings, and more.

To learn how to implement this strategy, see Build Your App: API Keys.

App dashboard pages with Dashboard SDK auth strategy

When developing functionality that doesn't require account-level access in a Wix App dashboard page, you can use the Dashboard SDK Auth strategy.

To learn how to implement this strategy, see Working with Wix APIs.

Site and Account IDs

When using an API Key authentication strategy you need to provide either a siteId, your accountId, or both.

Site ID

The site ID for the project or site you are working with. You can extract this from the URL in your browser when accessing the project or site dashboard. The site ID appears after /dashboard/ in the URL.

Account ID

Your Wix account ID. You can retrieve this from the API Keys page in your account settings.

Was this helpful?
Yes
No