Getting Shopify webhook to work with sanity but the function in the Netlify environment catches an error.

The error looks to be coming from the promise after the client.commit() on line #61

Shopify webhook failing with Sanity permissions error on create mutatio...

2 replies

Last updated: Nov 29, 2025

Hello! I'm trying to get a Shopify webhook to work with sanity, using a Netlify environment and a Gatsby frontend. This is from a Github repo from lucasvocos. So far everything is connected and everything deploys fine but when I use Shopify to either send a test request or update a product, the function in the Netlify environment catches an error. I'm pretty sure Netlify has all the permissions and variables it needs. Function and error posted below.

https://github.com/lucasvocos/gatsby-sanity-shopify/blob/main/web/functions/shopify.js
I believe the error comes from line #56 in the function: How can I debug this?

client
      .transaction()
      .createIfNotExists(product)
      .patch(data.id.toString(), patch => patch.set(product))
      .commit()

ERROR:

Sanity error 4: ClientError: The mutation(s) failed: mutation failed on document "788032119674292900": Insufficient permissions; permission "create" required
    at onResponse (/var/task/src/node_modules/@sanity/client/lib/http/request.js:27:13)
    at /var/task/src/node_modules/get-it/lib-node/util/middlewareReducer.js:10:22
    at Array.reduce (<anonymous>)
    at applyMiddleware (/var/task/src/node_modules/get-it/lib-node/util/middlewareReducer.js:9:29)
    at onResponse (/var/task/src/node_modules/get-it/lib-node/index.js:81:22)
    at /var/task/src/node_modules/get-it/lib-node/index.js:48:55
    at callback (/var/task/src/node_modules/get-it/lib-node/request/node-request.js:57:46)
    at /var/task/src/node_modules/get-it/lib-node/request/node-request.js:141:14
    at DestroyableTransform.<anonymous> (/var/task/src/node_modules/simple-concat/index.js:7:13)
    at Object.onceWrapper (events.js:420:28) {
  response: {
    body: { error: [Object] },
    url: '***************************************',
    method: 'POST',
    headers: {
      'content-type': 'application/json; charset=utf-8',
      'content-length': '349',
      'x-sanity-shard': '*********************',
      'x-served-by': '*************',
      date: '********************',
      vary: 'Origin',
      xkey: 'project-************, project-******************',
      via: '1.1 google',
      'alt-svc': 'clear',
      connection: 'close'
    },
    statusCode: 403,
    statusMessage: 'Forbidden'
  }

AI Update

The error message is clear: your Sanity API token doesn't have sufficient permissions to create documents. The 403 Forbidden status with "permission 'create' required" means the token being used in your Netlify function lacks write access.

The Problem

Looking at the code in that repo, the function is trying to execute a transaction that creates/updates product documents:

client
  .transaction()
  .createIfNotExists(product)
  .patch(data.id.toString(), patch => patch.set(product))
  .commit()

This requires a token with Editor permissions or a custom role that includes create/write permissions.

How to Fix It

1. Check Your Current Token Role

In your Netlify environment variables, you should have something like SANITY_API_TOKEN or similar. The token currently configured likely has Viewer (read-only) permissions.

2. Create a New Token with Write Permissions

According to the Sanity API tokens documentation, you need to create a robot token with appropriate permissions:

Run npx sanity@latest manage from your project directory, or access Sanity Manage from your Studio menu
Navigate to the API tab
Click Add API Token
Give it a descriptive name (e.g., "Shopify Webhook - Production")
Assign it the Editor role (or a custom role with create/update permissions)
Copy the token immediately (you won't see it again)

3. Update Netlify Environment Variables

Go to your Netlify site dashboard
Navigate to Site settings → Environment variables
Update the Sanity token variable with your new Editor token
Redeploy your site (or trigger a function rebuild)

Security Best Practice

Since this token has write permissions, it should never be exposed in frontend code. In your case, it's correctly being used server-side in a Netlify function, which is the right approach. The function acts as a secure intermediary between Shopify webhooks and your Sanity project.

Debugging Tips

To verify the token is working:

Check which token variable name the function expects - Look at how the Sanity client is initialized in the function to confirm the exact environment variable name
Verify the environment variable is set in Netlify - Sometimes variables don't propagate correctly after updates
Test locally first - Set the token in your local .env file and test the webhook locally using Shopify's webhook testing or a tool like ngrok
Check the token hasn't expired - Robot tokens don't expire by default, but personal tokens might

The token needs the Editor role at minimum because your transaction uses createIfNotExists() which requires create permissions. Once you've updated to a token with proper permissions, the webhook should work correctly.

Show original thread