Get help on Discord

Issue with CORS policy when adding a token to a web application

2 replies
Last updated: Nov 6, 2023
Hi everyone,I've created a token to be able to use the create function inside my web application. However, when I add the token value in the createClient. Everything stops working. I had a blog setup previously only using projectId, but when I add the token it gives me the following error:


Access to XMLHttpRequest at 'URL_HERE' from origin '<http://localhost:3000>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute
I have added CORS policy for localhost:3000, it was working just fine before I started using the token.

Any ideas on how I can go about fixing this?
AI Update

Based on your error message, the issue is that you need to enable the "Allow credentials" checkbox for your CORS origin in your Sanity project settings. When you add a token to your createClient configuration, the Sanity client automatically includes credentials with requests, which requires this setting to be enabled.

Here's how to fix it:

  1. Go to manage.sanity.io
  2. Select your project
  3. Navigate to Settings → API → CORS Origins
  4. Find your http://localhost:3000 origin in the list
  5. Check the "Allow credentials" checkbox next to it
  6. Save the changes

The error you're seeing happens because when you add a token to createClient, the client sets withCredentials: true on its requests. This requires the server (Sanity) to respond with Access-Control-Allow-Credentials: true, which only happens when you've enabled the "Allow credentials" option for that specific origin.

Without the token, your requests were working fine because they didn't need credentials. Once you added the token, the browser started sending credentialed requests, which are subject to stricter CORS policies.

Important note: Make sure you've added the complete origin including the protocol (http://localhost:3000, not just localhost:3000). The origin must match exactly, including the port number.

For production, you'll need to do the same thing - add your production domain to CORS origins with "Allow credentials" enabled if you're using tokens in the browser.

As mentioned in the Sanity CORS documentation, this is a security feature to protect your content, so only add domains you trust and control.

There’s a flag to allow credentials when you set your CORS origin. Given you’re now using a token, it sounds like you still need to toggle that setting.
Ah yes. Just tired it out and it's working now.
Thank you very much for the help!

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?