> Portal Navigation:
> 
> - Append `.md` to any URL under `https://dev.wix.com/docs/` to get its markdown version.
> - Pages are either content pages (article or reference text) or menu pages (a list of links to child pages).
> - To get a menu page, truncate any URL to a parent path and append `.md` (e.g. `https://dev.wix.com/docs/sdk.md`, `https://dev.wix.com/docs/sdk/core-modules.md`).
> - Top-level index of all portals: https://dev.wix.com/docs/llms.txt
> - Full concatenated docs: https://dev.wix.com/docs/llms-full.txt

## Resource: auth

## Article: auth

## Article Link: https://dev.wix.com/docs/sdk/core-modules/essentials/auth.md

## Article Content:

# auth

The `auth` module allows you to work with Wix authentication and permissions.

## Import statement
```js
import { auth } from "@wix/essentials";
```

## Methods

### `elevate()`

Creates a copy of a method with the elevated permissions required by the original method.

> **Note:**
> 
> This method is not intended for use with [self-hosted apps](https://dev.wix.com/docs/build-apps/develop-your-app/frameworks/self-hosting/about-self-hosting-for-wix-apps.md) or [self-managed headless projects](https://dev.wix.com/docs/go-headless/develop-your-project/self-managed-headless/about-self-managed-headless.md).
>
> - For self-hosted apps, apply [`elevated()`](https://dev.wix.com/docs/sdk/core-modules/sdk/app-strategy.md) to the `AppStrategy`.
> - For self-managed headless projects, use an [API Key](https://dev.wix.com/docs/api-reference/articles/authentication/about-api-keys.md).

Some methods are restricted as to who can call them, based on identities and/or permissions. For example, the [`createProduct()`](https://dev.wix.com/docs/sdk/backend-modules/stores/products/create-product.md) method can only be called by Wix users, while the [`confirmBooking()`](https://dev.wix.com/docs/sdk/backend-modules/bookings/bookings/confirm-booking.md) method can only be called by site collaborators who have certain administrative bookings permissions.

Methods that have authentication restrictions are indicated by an authentication note in their descriptions.

When you need to call a method from a context without the necessary authentication or permissions, create an elevated version of the method and call that elevated method instead.

Due to potential security issues, the elevate() method can only be called in the backend.

Learn more about elevation when:

- [Developing websites](https://dev.wix.com/docs/develop-websites/articles/coding-with-velo/authorization/elevation.md)  
- [Building apps](https://dev.wix.com/docs/build-apps/develop-your-app/access/authorization/about-elevation.md)

<blockquote class="warning">
  <strong>Warning:</strong> Elevation permits users to call methods they typically cannot access. Therefore, you should only use it intentionally and securely. You should pay special attention when using <code>elevate()</code> in backend code that can be triggered from the frontend and in code that is exposed as an API to outside callers.
  
</blockquote>

#### Method Declaration
```js
function elevate(sourceFunction: Function): Function;
```

#### Parameters

| Name | Type | Description |
| ---- | ---- | ----------- |
| `sourceFunction` | function | SDK function to elevate. |

#### Returns
An SDK method that runs with elevated permissions.

#### Example
Create a new product with elevated permissions:

```js
import { auth } from "@wix/essentials";
import { products } from "@wix/stores";

const newProduct = {
    // Add product details.
}

const elevatedCreateProduct = auth.elevate(products.createProduct);
const createdProduct = await elevatedCreateProduct(newProduct);
```

### `getTokenInfo()`

Returns the information encoded in the currently active token in backend extensions.

When developing [backend extensions](https://dev.wix.com/docs/build-apps/develop-your-app/extensions/backend-extensions/about-backend-extensions.md) for an app or [web methods](https://dev.wix.com/docs/velo/apis/wix-web-module/web-method.md), you might need to access information about the session making the request to your backend.

This information is encoded in the token sent with the request, and can be accessed using `getTokenInfo()`. It can include the user ID, the site ID, the instance ID, and more.

#### Method Declaration
```js
function getTokenInfo(): Promise<{
  active: boolean;
  subjectType: 'APP' | 'USER' | 'MEMBER' | 'VISITOR' | 'UNKNOWN';
  subjectId: string;
  exp: number;
  iat: number;
  clientId?: string;
  siteId: string;
  instanceId?: string;
}>;
```

#### Returns

A promise that resolves to the token info.

#### Backend extension example

Code for extracting information from a request to a backend extension in a Wix CLI project:

```ts
import { auth } from "@wix/essentials";

export async function GET(req: Request) {
  const tokenInfo = await auth.getTokenInfo();

  if (tokenInfo.subjectType === "USER") {
    return new Response(`Hello user ${tokenInfo.subjectId}`);
  } else if (tokenInfo.subjectType === "APP") {
    return new Response("Hello app");
  } else if (tokenInfo.subjectType === "MEMBER") {
    return new Response(`Hello member ${tokenInfo.subjectId}`);
  } else {
    return new Response(`Hello visitor ${tokenInfo.subjectId}`);
  }
}
```

### Web method example

Code for extracting information from a request to a web method:

```ts
import { auth } from "@wix/essentials";
import { Permissions, webMethod } from "@wix/web-methods";

export const sayHello = webMethod(Permissions.Anyone, async () => {
  const tokenInfo = await auth.getTokenInfo();

  if (tokenInfo.subjectType === "USER") {
    return `Hello user ${tokenInfo.subjectId}`;
  } else if (tokenInfo.subjectType === "APP") {
    return "Hello app";
  } else if (tokenInfo.subjectType === "MEMBER") {
    return `Hello member ${tokenInfo.subjectId}`;
  } else {
    return `Hello visitor ${tokenInfo.subjectId}`;
  }
});
```