← Work

Home / API Keys Page

API Keys Page

Credential management system for third-party developers

2022 · Developer tools
Custom Element Component Settings Development Site Creation

August 2021

API Keys are a critical part of Wix’s platform strategy - enabling developers and third-party integrations to securely authenticate against Wix’s APIs. I designed the end-to-end UX for the API Keys management page, covering key generation, granular permission configuration, account verification, and ongoing key management. The core security constraint shaped the entire design: each key is visible only once at generation and can never be retrieved again.

To handle the one-time visibility challenge, I designed a secure reveal flow that surfaces the key immediately after generation with clear copy prompts and confirmation messaging, so users understand they must save it before leaving. Beyond generation, the design included a full keys management table for viewing, editing, and revoking keys, with a granular permissions UI letting users define exactly what each key could access - giving teams precise security control over their Wix integrations.

What I Did

  • Solved the one-time key visibility challenge by designing a clear, secure reveal flow that surfaces the key only at generation
  • Designed granular permission configuration to let users control what each API key can access
  • Added an account verification step prior to key generation to ensure security

Impact

  • The API Keys page became the primary credential management surface for developers building on the Wix platform. It removed the need to manage keys outside of Wix and gave enterprise and agency developers a reliable, in-product way to authenticate integrations.
Empty state shown to first-time users before any API keys have been generated
Empty state shown to first-time users before any API keys have been generated
Permissions selection step during key generation — choosing what data the key can access
Permissions selection step during key generation — choosing what data the key can access
Expanding a permission category to configure granular sub-permissions for the key
Expanding a permission category to configure granular sub-permissions for the key
Account verification prompt — a 6-digit code is sent to the user’s email before the key can be generated
Account verification prompt — a 6-digit code is sent to the user’s email before the key can be generated
Code entry step — user enters the emailed verification code to confirm their identity
Code entry step — user enters the emailed verification code to confirm their identity
One-time key reveal — the token is only visible at this moment and must be copied before closing
One-time key reveal — the token is only visible at this moment and must be copied before closing
Keys management table showing a generated key with its token, permissions breakdown, and the Account ID panel
Keys management table showing a generated key with its token, permissions breakdown, and the Account ID panel
Expanded permissions view for an existing key, showing the assigned basic and account-level permissions
Expanded permissions view for an existing key, showing the assigned basic and account-level permissions

Bottom line

The one-time visibility constraint was the design problem that mattered most here. A key that cannot be retrieved after generation is a security property, not a limitation, but it puts the entire burden of not losing it on a single moment in the flow. Getting the reveal screen right, with the right prompts and the right sense of weight, was the part that required the most iteration.

More work

See all work →