Authentication overview

Wix API authentication is the process by which client applications verify their identity to the Wix platform to gain access to protected resources and perform actions on behalf of a Wix user or site. The choice of authentication method depends on the nature of the integration: whether it's a backend service interacting directly with Wix, a third-party application requiring user consent, or a frontend component operating within a Wix site context. Wix provides distinct mechanisms to accommodate these different scenarios, ensuring secure and scoped access to its extensive API surface Wix API overview.

Understanding the appropriate authentication flow is critical for developers to build secure and functional applications. Improper authentication can lead to unauthorized access, data breaches, or failed API calls. Wix adheres to industry-standard authentication protocols, emphasizing security and ease of integration for developers extending Wix site functionalities or integrating external services.

Supported authentication methods

Wix API supports several authentication methods, each designed for specific integration patterns and security requirements. The primary methods include API Keys for direct server-to-server communication, OAuth 2.0 for delegated authorization from users, and Session Tokens for client-side applications within the Wix ecosystem.

API Key

API Keys provide a straightforward method for authenticating requests from backend services or standalone scripts that operate on a Wix site. An API Key is a unique string that identifies your application and grants it access to specific Wix APIs. This method is suitable for programmatic access where user interaction for authorization is not required, such as a cron job syncing data or a server-side application managing inventory. API Keys should be treated as sensitive credentials and kept confidential.

OAuth 2.0

OAuth 2.0 is an industry-standard protocol for delegated authorization, allowing third-party applications to obtain limited access to a user's Wix account without exposing their credentials OAuth 2.0 specification. This is the recommended method for applications that interact with Wix users, such as a marketing automation tool or a customer support integration. The OAuth 2.0 flow typically involves:

  1. The application redirects the user to Wix for authorization.
  2. The user grants permission to the application.
  3. Wix redirects the user back to the application with an authorization code.
  4. The application exchanges the authorization code for an access token and a refresh token.
  5. The access token is used to make authenticated API requests.
  6. The refresh token is used to obtain new access tokens when the current one expires.

This flow ensures that the user maintains control over their data and can revoke access at any time.

Session Token

Session tokens are used for authenticating requests made from client-side code running within a Wix site, such as Velo (Wix's serverless platform) code or custom elements. These tokens are automatically managed by the Wix platform and provide authenticated access to APIs that are permitted for the current user's session. This method simplifies authentication for frontend developers by abstracting away the complexities of credential management and secure token exchange.

The following table summarizes the supported authentication methods:

Method When to Use Security Level
API Key Server-to-server integrations, backend services accessing data for a specific site. High, if securely stored and managed; susceptible to compromise if exposed.
OAuth 2.0 Third-party applications requiring user consent to access data across multiple Wix sites or user accounts. Very High, delegated authorization, short-lived access tokens, refresh tokens for renewal.
Session Token Frontend code within a Wix site (e.g., Velo, custom elements) operating within the current user's authenticated session. High, managed by Wix platform, tied to user session, automatic renewal.

Getting your credentials

To integrate with the Wix API, you need to obtain the appropriate credentials from your Wix account. The process varies slightly depending on the authentication method you intend to use.

For API Keys

  1. Navigate to the Wix Dev Center.
  2. Create a new application or select an existing one.
  3. Within your application settings, locate the "API Keys" section.
  4. Generate a new API Key. Ensure you copy and store it securely immediately, as it may not be retrievable later.
  5. Configure the necessary permissions (scopes) for your API Key to ensure it has only the access it needs.

For OAuth 2.0

  1. Go to the Wix Dev Center and create a new application.
  2. In your application settings, find the "OAuth" or "Permissions" section.
  3. Register your application's redirect URIs. These are the URLs where Wix will send the authorization code after a user grants permission.
  4. Note down your Client ID and Client Secret. The Client ID is public, but the Client Secret must be kept confidential and never exposed in client-side code.
  5. Define the required OAuth scopes (permissions) that your application will request from users.

For Session Tokens

Session tokens are typically managed automatically by the Wix platform when code runs within a Wix site's context. Developers using Velo by Wix or custom elements within the Wix Editor usually do not need to explicitly generate or manage these tokens. The Wix environment handles the authentication transparently, allowing your code to make authenticated calls to Wix APIs Wix developer documentation.

Authenticated request example

This example demonstrates how to make an authenticated request to a Wix API endpoint using an API Key. For OAuth 2.0, the process involves obtaining an access token first, which is then used in the Authorization: Bearer header.

Using an API Key (cURL)

Replace YOUR_API_KEY with your actual Wix API Key and YOUR_SITE_ID with your Wix site ID. This example uses the Wix Data API to query items from a collection.

curl -X GET \
  'https://www.wixapis.com/wix-data/v2/items/query?dataCollectionId=YOUR_COLLECTION_ID' \
  -H 'Authorization: YOUR_API_KEY' \
  -H 'wix-site-id: YOUR_SITE_ID' \
  -H 'Content-Type: application/json' \
  -d '{ "query": { "filter": {}, "sort": [], "paging": { "limit": 10, "offset": 0 } } }'

Using an Access Token (JavaScript with Fetch)

This example demonstrates an authenticated request using an OAuth 2.0 access token. Replace YOUR_ACCESS_TOKEN with the token obtained through the OAuth flow.

const accessToken = 'YOUR_ACCESS_TOKEN';
const siteId = 'YOUR_SITE_ID';
const collectionId = 'YOUR_COLLECTION_ID';

fetch(`https://www.wixapis.com/wix-data/v2/items/query?dataCollectionId=${collectionId}`, {
  method: 'POST',
  headers: {
    'Authorization': `Bearer ${accessToken}`,
    'wix-site-id': siteId,
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    query: {
      filter: {},
      sort: [],
      paging: {
        limit: 10,
        offset: 0
      }
    }
  })
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));

Security best practices

Implementing strong security practices is paramount when working with any API, and the Wix API is no exception. Adhering to these guidelines helps protect your application, your users' data, and your Wix site from unauthorized access and potential breaches.

  • Keep API Keys and Client Secrets Confidential: Never hardcode API Keys or Client Secrets directly into client-side code or public repositories. Store them in environment variables, secure configuration files, or a dedicated secrets management service. For server-side applications, use secure server-side storage.
  • Use OAuth 2.0 for User-Facing Applications: When building applications that interact with user data or require user consent, always opt for OAuth 2.0. This prevents your application from handling user credentials directly and grants granular control over permissions Google OAuth 2.0 documentation.
  • Implement Least Privilege: Grant your API Keys and OAuth applications only the minimum necessary permissions (scopes) required for their functionality. Regularly review and update these permissions as your application evolves.
  • Secure Redirect URIs: For OAuth 2.0, ensure your registered redirect URIs are secure (HTTPS) and specific. Avoid using wildcard redirect URIs, which can be exploited for phishing attacks.
  • Handle Access Tokens Securely: Access tokens obtained via OAuth 2.0 are short-lived. Store them securely in memory or encrypted storage. Use refresh tokens to obtain new access tokens without re-authenticating the user, but store refresh tokens with even greater care due to their longer lifespan.
  • Validate and Sanitize Inputs: Always validate and sanitize all data received from API responses and user inputs to prevent injection attacks and other vulnerabilities.
  • Implement Error Handling and Logging: Robust error handling can help identify and respond to authentication failures or suspicious activities. Log relevant events (e.g., failed login attempts, token refreshes) for auditing and security monitoring.
  • Encrypt Data in Transit: Ensure all communication with the Wix API uses HTTPS (TLS/SSL) to encrypt data in transit, protecting it from eavesdropping and tampering. Wix API endpoints are exclusively served over HTTPS.
  • Regularly Rotate API Keys: Periodically rotate your API Keys to mitigate the risk of compromise. If an API Key is suspected of being compromised, revoke it immediately and generate a new one.
  • Monitor API Usage: Keep an eye on your API usage patterns. Unusual spikes or requests from unexpected locations could indicate unauthorized access.