CORS error persists despite adding origins and allowing credentials
I can help you troubleshoot this CORS issue! Based on the error you're experiencing, here are the most common causes and solutions:
Check Your CORS Configuration
First, verify your CORS settings in the Sanity Management Dashboard:
- Go to your project at manage.sanity.io
- Navigate to Settings > API > CORS Origins
- Make sure you've added the exact origin URLs including the protocol
Common Mistakes to Avoid
Protocol Matters: The most frequent issue is a protocol mismatch. Make sure you're adding:
http://localhost:3000(nothttps://localhost:3000) for local development- The exact port number you're using locally
https://your-domain.com(nothttp://) for your deployed site
Enable "Allow Credentials": If you're using authentication tokens with your Sanity client, you must check the "Allow credentials" checkbox for each origin. This is required when the Access-Control-Allow-Credentials header needs to be set to 'true'.
Specific Things to Try
- Remove the wildcard - Wildcards can sometimes cause issues. Instead, add each specific origin explicitly
- Check for trailing slashes - Don't include trailing slashes in your CORS origins (use
http://localhost:3000, nothttp://localhost:3000/) - Clear browser cache - CORS settings can be cached by your browser. Try hard-refreshing or opening in an incognito window
- Verify the exact error - Check your browser console for the specific CORS error message, as it will tell you which origin is being blocked
Studio-Specific Consideration
If you're accessing Sanity Studio itself (not just querying data), remember that:
- The hosted Studio at
yourproject.sanity.studioshouldn't need CORS configuration - If you're running
sanity devlocally, CORS shouldn't typically apply to the Studio interface itself, only to API requests from other origins
Asset CDN Limitation
One important note: CORS settings configured in the Management Dashboard apply to the Data API but not to the Asset CDN. If you're trying to fetch assets directly from the browser, you may encounter separate CORS restrictions.
The exact error message from your browser console would help narrow down whether it's an origin mismatch, credentials issue, or something else. Look for messages like "No 'Access-Control-Allow-Origin' header is present" (origin not added) or "Access-Control-Allow-Credentials' header must be 'true'" (credentials not enabled).
Show original thread19 replies
Was this answer helpful?
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.
