> Portal Navigation: > > - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version. > - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages). > - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`). > - Top-level index of all portals: https://dev.wix.com/docs/llms.txt > - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt ## Resource: Authorization Strategies ## Article: Authorization Strategies ## Article Link: https://dev.wix.com/docs/sdk/articles/set-up-a-client/authorization-strategies.md ## Article Content: # Authorization Strategies If you are using the Wix JavaScript SDK to work with a [Wix Headless](https://dev.wix.com/docs/go-headless.md) project, to build a [self-hosted Wix app](https://dev.wix.com/docs/api-reference/articles/platform-overview/about-self-hosted-apps.md), as a [Wix Channel partner](https://support.wix.com/en/article/wix-channels-dashboard-overview), or as an [enterprise partner](https://support.wix.com/en/article/wix-enterprise-an-overview), you need to [create a Wix client](https://dev.wix.com/docs/sdk/articles/set-up-a-client/about-the-wix-client.md) and consider how you authorize your API calls. If you are developing a Wix site, a Wix CLI app, or a Wix Blocks app, you **don't** need to create a Wix client. In these cases, you can call the SDK's APIs directly, and authentication is handled automatically. ## Considerations There are a number of different authorization strategies you can use when creating a Wix client. The correct strategy depends on: - The [identities](https://dev.wix.com/docs/api-reference/articles/authentication/about-identities?apiView=SDK.md) required by the APIs you need to call. - The context in which you are making API calls. ### Identities Each API has a specific set of identities that can be used when calling it. The identity types are: - Visitor - Member - User - API Key (Admin) - Wix app For more information about identities, see [About Identities](https://dev.wix.com/docs/api-reference/articles/authentication/about-identities?apiView=SDK.md). ### Context There are several contexts in which your Wix client could be making API calls: - Headless site or app - Wix Channel or enterprise partner - Wix app - Wix app dashboard page ## Strategies Once you've identified the necessary identities for your API calls and determined the context in which these calls will occur, refer to the table below to choose an appropriate authorization strategy. | Context | Identity | Strategy | | :-------- | :------- | :------- | | Headless | Visitors, Members | [OAuth](#headless-visitors-and-members-with-oauth) | | Headless | Admin | [API Key](#admin-access-with-api-key) | | Wix Channel or enterprise | Admin | [API Key](#admin-access-with-api-key) | | Wix app | App, Users | [OAuth](#wix-apps-with-access-token) | | Wix app dashboard page | Users | [Dashboard SDK Auth](#app-dashboard-pages-with-dashboard-sdk-auth-strategy) | ### Headless visitors and members with OAuth When developing functionality for use by anonymous visitors or logged-in members in a Headless site or app, use this OAuth strategy. With this strategy, your site or app can recognize individual visitors and members and access their data, such as the items they've added to the cart. To learn how to implement this strategy, see [Create a Client with OAuth](https://dev.wix.com/docs/go-headless/develop-your-project/self-managed-headless/authentication/oauth/create-a-client-for-authentication-with-oauth.md) in the Headless documentation. ### Admin access with API Key When developing functionality that requires administrative access at the account level and/or for a custom/private app, use an API Key strategy. You can also use this strategy when developing functionality that doesn't require administrative access, but only in a secure environment to prevent your API Key from being leaked. This strategy is recommended for [Wix Channel partners](https://support.wix.com/en/article/wix-channels-dashboard-overview), [enterprise partners](https://support.wix.com/en/article/wix-enterprise-an-overview) and headless admins that don't require taking actions on behalf of an app, Wix users, site members or visitors. With this strategy, you can perform administrative operations at the site or account level, such as create or delete team members, invite site collaborators, manage orders for any site visitor, or create a product. When creating an API Key, you grant it a custom set of permissions for accessing or managing business data, including accounts, members, orders, products, events, bookings, and more. To learn how to implement this strategy for a headless project, see [Create a JavaScript SDK Client with an API Key](https://dev.wix.com/docs/go-headless/coding/java-script-sdk/admin/create-a-client-with-an-api-key.md). To learn how to implement this strategy as a Wix Channel or enterprise admin, see the ApiKeyStrategy in [About the Wix Client](https://dev.wix.com/docs/sdk/articles/set-up-a-client/about-the-wix-client.md). To learn how to create an API key, see [Generating an API Key](https://support.wix.com/en/article/wix-enterprise-using-wix-api-keys#generating-a-wix-api-key). ### Wix apps with access token When developing app functionality that requires taking actions as the app, as Wix users (when using [elevation](https://dev.wix.com/docs/api-reference/articles/authentication/about-elevated-permissions.md)), or site visitors or site members (when passing an access token from the frontend), you should use an OAuth access token strategy. With this strategy, you can perform all site-level operations. To learn how to implement this strategy, see [Build Your App: OAuth](https://dev.wix.com/docs/build-apps/develop-your-app/access/authentication/authenticate-using-oauth.md). ### App dashboard pages with Dashboard SDK auth strategy When developing functionality that requires taking actions on behalf of Wix users in a Wix app's dashboard page, you can use the Dashboard SDK Auth strategy. To learn how to implement this strategy, see [Wix app as a Wix user in the dashboard](https://dev.wix.com/docs/sdk/articles/set-up-a-client/about-the-wix-client.md#wix-app-as-a-wix-user-in-the-dashboard). ## Site and Account IDs When using an API Key authentication strategy you need to provide either a `siteId`, your `accountId`, or both. ### Site ID The site ID for the project or site you are working with. You can extract this from the URL in your browser when accessing the project or site dashboard. The site ID appears after **/dashboard/** in the URL. ### Account ID Your Wix account ID. You can retrieve this from the [API Keys page](https://manage.wix.com/account/api-keys) in your account settings. Note that some API calls, specifically all the APIs under the [Account Level Modules](https://dev.wix.com/docs/api-reference/account-level/about-account-level-apis.md) category, are only accessible using an API key.