Migration Rest Portal

Build Apps

Go Headless

Client

API Preview

Develop Websites

REST

GraphQL (Alpha)

# About OAuth

Your app must authenticate Wix API calls using the OAuth protocol.

By default, OAuth authentication follows the
[OAuth Client Credentials protocol](fallback::https://oauth.net/2/grant-types/client-credentials/).
Using this approach, you don’t need to implement an OAuth handshake for each
installation of your app. Instead, your app can request access tokens directly
by passing the app ID, the app’s secret, and the relevant app instance ID.

In most cases, it’s sufficient that your app
[uses OAuth](fallback::https://dev.wix.com/docs/build-apps/build-your-app/authentication/use-oauth).
Wix also offers advanced OAuth settings in case you need to identify your
customers along the installation process, or if you need to redirect them at
the end of the process before they see your app’s dashboard.

## Advanced OAuth settings

We recommend that your app [uses advanced OAuth](fallback::https://dev.wix.com/docs/build-apps/build-your-app/authentication/use-advanced-oauth)
instead of basic OAuth whenever you need to redirect your users to a URL that’s
outside the Wix ecosystem during the app installation flow. For example, when
your users can’t create an account for your app in the Wix dashboard.

You can choose to implement advanced OAuth settings. Keep in mind though that
basic OAuth has the following main advantages compared to advanced OAuth: OAuth
prevents corrupted installations. OAuth is simpler to implement, since you
don’t need to set up and run a server for redirects or manage a database for
refresh tokens.

Advanced OAuth follows the industry-standard [OAuth 2.0 protocol](fallback::https://oauth.net/2/),
which provides a secure way for site owners to grant your app permissions.
Whenever a site owner installs your app, your app’s code must complete an OAuth
handshake. This requires that you set up a server to handle the relevant
redirects. Then, you need to store the refresh token for the new app instance
in your database. Finally, you can use the refresh token to retrieve an access
token and call the relevant Wix API.

With Advanced OAuth, it’s critical that your app saves the refresh token during
installation. If the process fails, you’re unable to retrieve access tokens
using [Refresh an Access Token](fallback::https://dev.wix.com/docs/rest/api-reference/authorization/advanced-oauth/refresh-an-access-token).
Though from the site owner’s point-of-view, it seems that the app installation
has succeeded. You have 2 options in this situation: Ask the site owners to
re-install your app, or fall back to retrieving access tokens with the basic
OAuth strategy by calling [Create Access Token](fallback::https://dev.wix.com/docs/rest/api-reference/authorization/advanced-oauth/create-access-token).