Understanding API Key Security
3 min read
Wix API keys are codes (also known as strings) that you can generate to give a user or application access to your sites.
API keys can give access to all of the site data on your account, so it's important that you understand how to keep your API keys secure.
In this article, learn more about:
Verifying your identity for managing API keys
When you generate a new API key or make changes to your existing API keys, you'll be asked to verify your identity. This ensures that only authorized people can make changes to the API keys on your account and helps keep your site data secure.
To verify your identity, a 6-digit code is sent to the email address linked to your account. To perform any action with your API keys, you will need to enter this code in the Verify your account pop-up.
Understanding Wix API key permissions
By default, each API key you generate grants access to all of the sites under your account. This is because API keys are generated at an account level. You can control the level of access an API key grants by selecting the permissions assigned to it.
For example, you can select the Wix Stores permission to only allow your API key to access your site's store data, including products, orders, and currencies.
There are three different types of permissions you can assign to your API keys.
Permission type | Explanation |
---|---|
All permissions | This setting lets you add all available account and site-level permissions to your API key. This allows the key to access all related account and site-level data. |
Basic permissions | This setting returns the IDs of all the sites on your account. It is selected by default and cannot be unselected. |
All account permissions | This setting lets you add all available account-level permissions to your API key. This allows the key to create new Wix accounts and more. |
All site permissions | This setting lets you add all available site-level permissions to your API key. This allows the key to manage your store data, bookings data, events data, and more. |
You can also choose to select permissions for only some site-level data, e.g. your Wix Stores data.
In general, you should only choose the permissions you need for a certain API key to keep your site data secure. Most permissions automatically give read and write access to your site's data, so assigning the appropriate permissions ensures that you don't give more access to your site data than is necessary.
Actions to take if your API key is compromised
Each Wix API key that you generate has access to all of the sites in your account. It's important that you only share your Wix API keys with people you trust.
If you suspect that someone has unauthorized access to one of your Wix API keys, it's important to act immediately. We recommend that you rotate your API key to create a new token for the key. All APIs that previously had access to your site data will immediately have their access revoked.
If you’re not sure if someone has unauthorized access to one of your keys, it's a good idea to duplicate your key. Add the new token to your API calls, share the new token with any team members that need it, and then delete the old API key. This ensures that APIs that use the key will not have any interruption in service.
Important:
- Any user or application that previously had access to the API key will lose access to your site data after you rotate or delete it.
- It is not possible to recover a previous API key after you rotate or delete it.
Want to learn more about using Wix API keys?
Read our article about building requests using API keys.
Did this help?
|