Build Status npm version

codecov bitHound Overall Score bitHound Dependencies npm downloads


Wix Application authentication strategy for Passport.

Useful helper for Wix Application developers


$ npm install -S passport-wix-app


This module parses instance parameter passed by Wix Applications (see documentation 🌐)

Wix sends several other parameters (not only instance). You could get their values straight from the original request. Just pass passReqToCallback: true among other Strategy options.

Additional request's parameters depend on Wix Application type. Read more on the official Wix-Dev site:

Configure Strategy

The wix-app authentication strategy authenticates a user using instance parameter, passed by Wix 🌐.

The strategy requires options and verify callback.

passport.use(new WixAppStrategy({"secret": "WIX-APP-SECRET"},
  function verifyCallback (instance, done) {

    // any user-verification logic
    // ...
    // here is an example:
      application: instance.instanceId,
      userId: instance.uid
    }, function (err, user) {
      // error during verification
      if (err) { return done(err) }

      // user is not found/not authenticated
      if (!user) { return done(null, false) }

      // success:
      return done(null, user)


You can pass additional options to the WixAppStrategy constructor:

new WixAppStrategy(options, callback)

The available options are:

  • passReqToCallback - determines whether to pass the incoming request (req) to the verify callback
  • secret - Optional, defaults to null. Defines the secret assigned to your Wix Application. Note that you can omit secret on a configuration step and pass secret on request handling, when the app will call passport.authenticate() method.

Verification callback

Verification callback will be called with several params (see passReqToCallback in options-section):

Parsed Instance

Example of parsed instance (taken from Wix-documentation 🌐 and extended with custom fields - ext):

parsedInstance = {
    "instanceId":       "bf296da1-75ce-48e6-9f72-14b7148d4fa2",
    "signDate":         "2015-12-10T06:57:37.201Z",
    "uid":              "da32cbf7-7f8b-4f9b-a97e-e67f3072ce92",
    "permissions":      "OWNER",
    "ipAndPort":        "",
    "vendorProductId":  null,
    "originInstanceId": "c38e4e00-dcc1-433e-9e90-b332def7b342",
    "siteOwnerId":      "da32cbf7-7f8b-4f9b-a97e-e67f3072ce92",

    // additional params:
    "ext": {
        "ip":           "",
        "port":         35734,
        "signDate":     new Date(2015, 11, 10, 06, 57, 37, 201)

Authenticate Requests

Use passport.authenticate(), specifying the 'wix-app' strategy, to authenticate requests.

For example, as route middleware in an Express 🌐 application:'/login',
  passport.authenticate('wix-app', { failureRedirect: '/login' }),
  function(req, res) {

Or, with late-loaded secret:'/login',
  passport.authenticate('wix-app', {
    secret: 'secret-key',
    failureRedirect: '/login'
  function(req, res) {


The passport-local 🌐 (by Jared Hanson) was used as a scaffold for this module.


Please, read the LICENSE file in the root of the repository (or downloaded package).

Supported by