Get help on Discord

Can I use the logged-in user's token instead of a robot token in a Sanity plugin?

2 replies
Last updated: Aug 18, 2021
Hi, simple question đź’ˇ Inside a Sanity Studio plugin, can you get the current logged in users Authentication token directly, or do you need a robot Read/Write token to fetch data from the Studio?
I have a plugin which gets content from the studio, and it works with a robot R/W token, but I’d like to not have a robot token for this action, and instead use the signed-in User token
AI Update

Great question! Yes, you can absolutely use the current logged-in user's authentication token instead of a robot token when building a Sanity Studio plugin.

When you use the useClient hook inside a Studio plugin, it returns a configured Sanity Client that automatically uses the current user's authentication token. You don't need to manually pass any tokens or credentials - the Studio handles this for you behind the scenes.

Here's how to use it in your plugin:

import { useClient } from 'sanity'

function MyPlugin() {
  // This client is authenticated with the current user's token
  const client = useClient({ apiVersion: '2023-05-24' })
  
  // Now you can fetch data using the logged-in user's permissions
  const fetchData = async () => {
    const data = await client.fetch('*[_type == "myType"]')
    return data
  }
  
  // ... rest of your component
}

The key benefit here is that the client respects the current user's permissions. If the user has read access to the dataset, the queries will work. You don't need a separate robot token for this use case.

Important note: Since useClient is a React hook, you can only call it inside React function components or custom hooks - it follows React's rules of hooks. If you need to use the client outside of a React component context, you'd need to pass it down as a prop or use a different approach.

This approach is much cleaner and more secure than using a robot token, as it ensures users can only access data according to their assigned permissions in your Sanity project. The authenticated requests work seamlessly within the Studio environment, making it the preferred method for Studio plugins that need to fetch content.

Show original thread
2 replies
Solution:
Add 
credentials: 'include'
in the fetch request of your plugin. That will use the signed in session cookie.
You can also use the built-in client that the studio uses, which is set up to use the authentication:
import client from 'part:@sanity/base/client'

client
  .create({_type: "customDoc", foo: 'bar' })
  .then(doc =>
 console.log(doc))
  .catch(err => console.error(err))
If you’re outside the studio, you can also configure the client to use auth if the user is logged in, that is, use the session token that set on the sanity API:

client.withConfig({ withCredentials: true })

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?