#Is it possible to call backend from widget code in new CLI?

I’m building a Wix CLI + Astro app with a site widget and dashboard panel.

The panel can call /api/* endpoints with httpClient.fetchWithAuth and everything works.

But the widget runs inside the Editor preview iframe and cannot send auth tokens, so any endpoint that uses elevated APIs fails.

Context:

• Widget preview iframe in Editor:

        sandbox="allow-scripts allow-forms allow-downloads allow-presentation allow-modals">

• This iframe is sandboxed without allow-same-origin, so the origin becomes null.
• When the widget calls an Astro endpoint via httpClient.fetchWithAuth, Authorization header is missing.

Evidence:
In node_modules@wix\sdk\build\auth\AppStrategy.js, I log:

async elevated() {
  if ('accessToken' in opts && opts.accessToken) {
    const tokenInfo = await getTokenInfo(opts.accessToken);
    console.log("opts",opts); <= here
    console.log("tokenInfo",tokenInfo); <= & here
    //...

Panel → Authorization: OauthNG.JWS... (valid)

opts {
  accessToken: 'OauthNG.JWS...',                                                     
  appId: '88eaa8e2-07bd-4809-aa57-c8e4e40b50ba'
}
tokenInfo {
  active: true,
  subjectType: 'USER',
  subjectId: '6245...',
  exp: '176...',
  iat: '176...',
  clientId: '88eaa...',                                                        
  accountId: '6245ae...',                                                       
  siteId: 'f26054...',                                                          
  instanceId: '5aec...'                                                       
}

Widget → Authorization: null/undefined

opts {
  accessToken: 'undefined',
  appId: '88eaa8e2-07bd-4809-aa57-c8e4e40b50ba'
}         
tokenInfo { active: false, subjectType: 'UNKNOWN', subjectId: '', clientId: '' } 

Because of this, AppStrategy throws:

at Object.elevated (...\node_modules\@wix\sdk\build\auth\AppStrategy.js:197:27)```

**opts.accessToken** is literally `undefined`, so AppStrategy fails before it can elevate.


**Questions:**

1) Is it expected that **site widget iframes in editor preview cannot access auth context** and thus cannot call Astro endpoints with `fetchWithAuth`?
2) Is there any WIX‑recommended approach to call backend endpoints from a widget (editor/preview/site)?
3) If not, should widgets be limited to frontend API, and all elevated operations must handled in panel/dashboard?
4) Does old CLI support backend operations from under the widget?

Any guidance or official doc would help.

Thanks!

On published website using live 'released' app I see next errors:
By the way error, like:
stateCache.ts:160 App not found for script Script not identified, errorId: 404C
is pretty common for me. Usually, I see them for different apps, although this one isn't preventing the code from work (usually) stateCache.ts:160 App not found for script Script not identified, errorId: 404C

Even if I build the app from the template and won't change anything inside, just build and release it - I'll see same errors:
stateCache.ts:160 App not found for script Script not identified, errorId: 404C
And it is uses embedded script that error as well:
Error: Wix context is not available. Make sure to initialize the Wix context before using SDK modules

Another case is in dev mode in editor this kind of errors:
packagesWatcherService.ts:27 Uncaught TypeError: Cannot read properties of undefined (reading 'studio')

I’m really tired of chasing these kinds of errors and spending more time on them than on the app’s functionality. It’s making the whole development process frustrating.

Hi @plush dagger Please open a detailed ticket:
Attach the sample code of the flow so we can forward it.
Also, attach a minimal reproducible GitHub repository.

Hi Erel,

I’ve opened a ticked. I can make a zip from the app and send it as following email to the ticket if it would help.

I'm having the same issue. I want to create a site-widget that communicates with the wix backend but I have hit the same wall. Did you find a solution @plush dagger?

The alternatives I’ve found so far aren’t ideal. So I was forced to pause development.
I’m really hoping WIX will enable backend access directly from within the widget, as that seems like essential functionality.

I’ve submitted several tickets with detailed information, so they should be aware of the issue. However, as always there’s still no indication of when it will be resolved.

If you will have some news please ping me here as well 😉

I had a working prototype running that used a short lived jwt token that mostly worked. Wix Page Code calls a wix backend function which generates the token using a secret in the secret_store. The token is then passed to my site-widget which directly calls my backend. It did work but it's annoying to setup. Also the token was straightup accessible to website users. Not ideal. The App path looked so promising. Easy configuration in the dashboard, drag and drop, settings menu ect.
But If I can't call the wix backend then all of this is sort of pointless

Hi @fair heron,
Dont want to be bothering. But a few months passed.
Can you please check if we have some news from WIX inner dev team regarding this issue with calling app backend from under the widget?
Thank you alot

Hey @plush dagger, I saw that a fix was released recently (but might not be rolled out entirely), could you please check again? You might have to update your CLI version.
Keep me updated if the issue still stands

I'm still getting the same errors unfortunatly. Are there any specific packages we might need to update to get the fix or is it most likely just a rollout thing?

I believe it's a rollout thing, but please open a ticket with your app's information so that we can monitor it and update you >>
https://www.wix.com/support-chatbot?nodeId=25a57397-ccf7-4376-8b74-48d51edf7159&referral=devRels

@fair heron
Hi Tom, Thank you for letting me know.
Mostly worked - auth headers are now here. But there was a problem with elevated calls in backend.
I was able to fix it by applied local runtime patch to @wix/[email protected] => auth.mjs

Seems like WIX auth middleware builds AppStrategy({ accessToken, appId }) without appSecret, then calls .elevated(), which causes my exact failure getAuthHeaders() fails at: AppStrategy.js (line 133). So in a local patch I included appSecret/publicKey in the access-token branch and it worked.

It would be great if WIX can include that fix in new @wix/astro@latest

Thats good to hear. Didn't work for me today but pleased to hear it will work soon enough

After waiting for a bit longer, (Was sick admittedly). I finally sent in a ticket via the chatbot. Fixed in a couple of hours. May have been a coincidence since I haven't gotten a reply yet but I'm still happy

Hi, may I ask how did you manage to fix that? I'm currently having a very similar problem to what is described in this thread.
My setup is a custom element + backend api in a Wix CLI app.
Getting the App not found for script Script not identified, errorId: 404C error.
And using httpClient.fetchWithAuth does nothing (the promise never resolves or rejects)

Unfortunatly I don't have any steps you can directly take. My issue was that fetchWithAuth did not work in a Site Context. IE my widget element could not call the backend api. That was an issue on the wix side of things which they have fixed. I simply created a ticket at some point and presumably they rolled the update out for my sites.

By now though the update should be generally rolled out.

Regarding the app not found error. It's still there on my site but since the stuff works I have just ignored it.

try creating the most barebones example you can think of to see if fetchWithAuth works. In general it should work now