Getting Shopify webhook to work with sanity but the function in the Netlify environment catches an error.

The error message is clear: your Sanity API token doesn't have sufficient permissions to create documents. The 403 Forbidden status with "permission 'create' required" means the token being used in your Netlify function lacks write access.

The Problem

Looking at the code in that repo, the function is trying to execute a transaction that creates/updates product documents:

client
  .transaction()
  .createIfNotExists(product)
  .patch(data.id.toString(), patch => patch.set(product))
  .commit()

This requires a token with Editor permissions or a custom role that includes create/write permissions.

How to Fix It

1. Check Your Current Token Role

In your Netlify environment variables, you should have something like SANITY_API_TOKEN or similar. The token currently configured likely has Viewer (read-only) permissions.

2. Create a New Token with Write Permissions

According to the Sanity API tokens documentation, you need to create a robot token with appropriate permissions:

1. Run npx sanity@latest manage from your project directory, or access Sanity Manage from your Studio menu
2. Navigate to the API tab
3. Click Add API Token
4. Give it a descriptive name (e.g., "Shopify Webhook - Production")
5. Assign it the Editor role (or a custom role with create/update permissions)
6. Copy the token immediately (you won't see it again)

3. Update Netlify Environment Variables

1. Go to your Netlify site dashboard
2. Navigate to Site settings → Environment variables
3. Update the Sanity token variable with your new Editor token
4. Redeploy your site (or trigger a function rebuild)

Security Best Practice

Since this token has write permissions, it should never be exposed in frontend code. In your case, it's correctly being used server-side in a Netlify function, which is the right approach. The function acts as a secure intermediary between Shopify webhooks and your Sanity project.

Debugging Tips

To verify the token is working:

1. Check which token variable name the function expects - Look at how the Sanity client is initialized in the function to confirm the exact environment variable name
2. Verify the environment variable is set in Netlify - Sometimes variables don't propagate correctly after updates
3. Test locally first - Set the token in your local .env file and test the webhook locally using Shopify's webhook testing or a tool like ngrok
4. Check the token hasn't expired - Robot tokens don't expire by default, but personal tokens might

The token needs the Editor role at minimum because your transaction uses createIfNotExists() which requires create permissions. Once you've updated to a token with proper permissions, the webhook should work correctly.