auth

The auth submodule allows you to work with Wix authentication and permissions.

Important:

This submodule is not intended for use with self-hosted Apps.

Import statement

Copy
import { auth } from "@wix/essentials";

Methods

elevate()

Creates a copy of a method with the elevated permissions required by the original method.

Some methods are restricted as to who can call them, based on identities and/or permissions. For example, the createProduct() method can only be called by Wix users, while the confirmBooking() method can only be called by site collaborators who have certain administrative bookings permissions.

Methods that have authentication restrictions are indicated by an authentication note in their descriptions.

When you need to call a method from a context without the necessary authentication or permissions, create an elevated version of the method and call that elevated method instead.

Due to potential security issues, the elevate() method can only be called in the backend.

Learn more about elevation when:

Warning: Elevation permits users to call methods they typically cannot access. Therefore, you should only use it intentionally and securely. You should pay special attention when using elevate() in backend code that can be triggered from the frontend and in code that is exposed as an API to outside callers.

Syntax

Copy
function elevate(sourceFunction: Function): Function;

Parameters

NameTypeDescription
sourceFunctionfunctionSDK function to elevate.

Returns

An SDK function that runs with elevated permissions.

Example

Create a new product with elevated permissions:

Copy
import { auth } from "@wix/essentials"; import { products } from "@wix/stores"; const newProduct = { // Add product details. }; const elevatedCreateProduct = auth.elevate(products.createProduct); const createdProduct = await elevatedCreateProduct(newProduct);

getTokenInfo()

Returns the information encoded in the currently active token in backend extensions.

When developing backend extensions for an app or web methods, you might need to access information about the session making the request to your backend.

This information is encoded in the token sent with the request, and can be accessed using getTokenInfo(). It can include the user ID, the site ID, the instance ID, and more.

Syntax

Copy
function getTokenInfo(): Promise<{ active: boolean; subjectType: 'APP' | 'USER' | 'MEMBER' | 'VISITOR' | 'UNKNOWN'; subjectId: string; exp: number; iat: number; clientId?: string; siteId: string; instanceId?: string; }>;

Returns

A promise that resolves to the token info.

Backend extension example

Code for extracting information from a request to a backend extension in a Wix CLI project:

Copy
import { auth } from "@wix/essentials"; export async function GET(req: Request) { const tokenInfo = await auth.getTokenInfo(); if (tokenInfo.subjectType === "USER") { return new Response(`Hello user ${tokenInfo.subjectId}`); } else if (tokenInfo.subjectType === "APP") { return new Response("Hello app"); } else if (tokenInfo.subjectType === "MEMBER") { return new Response(`Hello member ${tokenInfo.subjectId}`); } else { return new Response(`Hello visitor ${tokenInfo.subjectId}`); } }

Web method example

Code for extracting information from a request to a web method:

Copy
import { auth } from "@wix/essentials"; import { Permissions, webMethod } from "wix-web-module"; export const sayHello = webMethod(Permimissions.Anyone, async () => { const tokenInfo = await auth.getTokenInfo(); if (tokenInfo.subjectType === "USER") { return `Hello user ${tokenInfo.subjectId}`; } else if (tokenInfo.subjectType === "APP") { return "Hello app"; } else if (tokenInfo.subjectType === "MEMBER") { return `Hello member ${tokenInfo.subjectId}`; } else { return `Hello visitor ${tokenInfo.subjectId}`; } });
Did this help?