CORS Error: Access-Control-Allow-Credentials Issue with @sanity/client

Based on the error message you're seeing, the issue is specifically with the credentials configuration. The error states that Access-Control-Allow-Credentials must be 'true' when credentials mode is 'include', which indicates you need to enable the "Allow credentials" option in your CORS settings.

Here's how to fix this:

Enable "Allow Credentials" in CORS Settings

1. Go to manage.sanity.io
2. Navigate to your project
3. Go to Settings > API > CORS Origins
4. Find your domain (https://my-domain) in the list
5. Check the "Allow credentials" checkbox next to that origin
6. Save the changes

This checkbox is crucial when using authentication tokens with @sanity/client. According to the Sanity CORS documentation, the "Allow credentials" setting must be enabled for any origin that needs to send authenticated requests.

Why This Happens

The @sanity/client library sends requests with credentials when you're using authentication tokens. This causes the browser to set the request's credentials mode to 'include', which requires the server to respond with Access-Control-Allow-Credentials: true. Without the checkbox enabled in your CORS settings, Sanity's API won't send this header, causing the browser to block the request.

Additional Tips

• Make sure the origin you added matches exactly (including https:// vs http://)
• If you're developing locally, you'll also need to add your localhost URL (e.g., http://localhost:3000) with credentials enabled
• The CORS settings apply to the Data API but not to the Asset CDN, so asset requests have different considerations

After enabling the "Allow credentials" checkbox, your requests should work properly. The change should take effect immediately without needing to restart your application.