Get help on Discord

XMLHttpRequest Blocked by CORS Policy

3 replies
Last updated: Apr 17, 2021
Do you know why I might be getting CORS issue using @sanity/client?
Access to XMLHttpRequest at ‘https://projectId.api.sanity.io/v1/data/query/production?query=*%5B_id%20%3D%3D%20%22d3f9be2c-d6f1-4e13-921e-aad11bdbe554%22%5D%20%20%7B%0A%20%20%20%20...%2C%0A%20%20%7D ’ from origin ‘https://my-domain ’ has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I have added this domain as described here https://www.sanity.io/docs/cors
AI Update

Based on the error message you're seeing, the issue is specifically with the credentials configuration. The error states that Access-Control-Allow-Credentials must be 'true' when credentials mode is 'include', which indicates you need to enable the "Allow credentials" option in your CORS settings.

Here's how to fix this:

Enable "Allow Credentials" in CORS Settings

  1. Go to manage.sanity.io
  2. Navigate to your project
  3. Go to Settings > API > CORS Origins
  4. Find your domain (https://my-domain) in the list
  5. Check the "Allow credentials" checkbox next to that origin
  6. Save the changes

This checkbox is crucial when using authentication tokens with @sanity/client. According to the Sanity CORS documentation, the "Allow credentials" setting must be enabled for any origin that needs to send authenticated requests.

Why This Happens

The @sanity/client library sends requests with credentials when you're using authentication tokens. This causes the browser to set the request's credentials mode to 'include', which requires the server to respond with Access-Control-Allow-Credentials: true. Without the checkbox enabled in your CORS settings, Sanity's API won't send this header, causing the browser to block the request.

Additional Tips

  • Make sure the origin you added matches exactly (including https:// vs http://)
  • If you're developing locally, you'll also need to add your localhost URL (e.g., http://localhost:3000) with credentials enabled
  • The CORS settings apply to the Data API but not to the Asset CDN, so asset requests have different considerations

After enabling the "Allow credentials" checkbox, your requests should work properly. The change should take effect immediately without needing to restart your application.

Sounds like you might have defined a token when instantiating the client?
That's generally not recommended unless this is for an intranet-solution or something behind another layer of authentication, since the token will be visible to anyone on that page.

If it
is intentional, you need to check the "Allow credentials" checkbox when creating the CORS origin
hey
user Z
thanks for help. I don’t think I have added a token 🤔 This is how it looks on the client side:
I think I found the issue, I had to change the API settings to allow credentials on this domain

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?