CLI Documentation Notice
You're viewing documentation for the new Wix CLI, which we recommend for all new projects. Determine which CLI your project uses.
Previous CLI documentation:
Some SDK methods require elevated permissions to access sensitive data or perform privileged operations. For example, retrieving site properties or accessing business data often requires app-level authorization that site visitors, site members, and Wix users don't have. Without elevation, these calls return a 403 Forbidden error.
To elevate permissions, use the JavaScript SDK to give specific calls Wix app authentication. Check each method's documentation to see if it requires elevated permissions.
To elevate API call permissions:
You can make calls from your frontend code to your project's backend using HTTP endpoints. How you call the endpoint from the frontend depends on whether you're building a headless project or an app.
Important: Exposed elevated API calls create a security risk for privilege escalation attacks. Make sure to protect your exposed API calls with the appropriate logic.
Set up your project's backend to handle requests for elevated API calls from your frontend.
To set up your backend:
Set up an HTTP endpoint.
In the file that defines your endpoint, import APIRoute from astro, the auth submodule from @wix/essentials, and the module containing the method you want to call with elevated permissions.
Expose an endpoint that calls the API method you need. Wrap the method with auth.elevate() before calling it.
Call your backend endpoint from your project's frontend. How you call the backend depends on whether you're building a headless project or an app.
Note: This step is the same implementation for calling HTTP endpoints without elevation.
These examples demonstrate how to elevate Get Site Properties.
The backend code is the same for both headless and app projects.