About the Wix Secrets API

 

Developer Preview
APIs in Developer Preview are subject to change and are not intended for use in production.
Send us your suggestions for improving this API. Your feedback is valuable to us.

   

The Wix Secrets Backend v2 API contains functionality for managing secrets on your site. Secrets managed by this API are available in the Secrets Manager section of your site's dashboard. You can securely store API keys and other secrets on your site. Each secret's value is encrypted, and assigned a name of your choice and an ID. You can then use the name or ID to refer to the secret in your backend code rather than hardcoding its value.

Learn more about Velo's Secrets Manager.

With the Secrets API, you can safely:

To use the Secrets API, import { secrets } from the wix-secrets-backend.v2 module:

Copy

Learn more about the Wix Secrets API in Secrets Manager in the Velo API Reference, and on Wix Learn.

Before you begin

It's important to note the following:

  • You must set up a Members Area, before you can create or manage secrets with the Secrets API. The Members Area isn't required to retrieve secrets with getSecretValue().
  • Deleting a secret, or modifying a secret's name or value, breaks all code using the secret.
  • You can't create or rename a secret with a name that's already in use.

Security considerations

  • If you currently use private keys in your code, we recommend removing them. You can either create a secret with the Secrets API or the Functional Testing tool.
  • To prevent malicious users from accessing the values of your secrets, use them only in backend code. Avoid using secret values in frontend code.
  • Do not use listSecretInfo() in a .jsw file with anonymous permissions. This is a serious security risk which exposes your secrets to potential leaks. To prevent this, implement listSecretInfo() in a separate .js file to block frontend access. If you must include listSecretInfo() in a .jsw file, make sure the exported function has permissions set to Admin. ",

Permissions information

The following functions in Secrets are restricted and only run if you elevate permissions using the wix-auth elevate() function:

Warning: Elevating a function allows it to be called by any site visitor. Exercise caution to prevent security vulnerabilities.

Terminology

  • Secret: Secrets are values that you don’t want to be publicly accessible, such as login credentials or API keys.
  • API key: An API (Application Programming Interface) key is a unique code used to authenticate a user or program when making a call to an API.
Was this helpful?
Yes
No