Hi all, one quick question. The "robot user token" with write access should never be used in frontend bundle (like gatsby). Only correct way to use the write token is to...

3 replies

Last updated: Sep 14, 2020

Hi all, one quick question.The "robot user token" with write access should never be used in frontend bundle (like gatsby). Only correct way to use the write token is to implement an API endpoint and hide the token behind that API. client code invokes the api and then api uses the write token to make modification in sanity.... is my understanding correct?
or is there some other safe way to use write tokens in "font-end-client-only" implementations?

Sep 14, 2020, 7:22 AM

I’ve put the token in an ENV variable, and written a server side serverless function that accepts form input, does sanitization, error checking, etc, and then writes to Sanity.

Sep 14, 2020, 8:16 AM

AFAIK this is completely correct! Any code on your frontend runs in the client so there’s no way to secure a token to my knowledge that couldn’t be retrieved by any third-party visiting the website.
A little serverless function makes it fairly painless
🙂

Sep 14, 2020, 8:17 AM

Got it. thanks guys

Sep 14, 2020, 9:49 AM

Sanity.io: Get the most out of your content

Sanity.io is a platform to build websites and applications. It comes with great APIs that let you treat content like data. Give your team exactly what they need to edit and publish their content with the customizable Sanity Studio. Get real-time collaboration out of the box. Sanity.io comes with a hosted datastore for JSON documents, query languages like GROQ and GraphQL, CDNs, on-demand asset transformations, presentation agnostic rich text, plugins, and much more.

Don't compromise on developer experience. Join thousands of developers and trusted companies and power your content with Sanity.io. Free to get started, pay-as-you-go on all plans.