Get help on Discord

GROQ webhook fails with 403 "Missing Authentication Token" on production dataset

7 replies
Last updated: Nov 29, 2025
I have created a GROQ-powered webhook, but when I publish a document to trigger it I get the error: 
"hookId":"LBazGCoTp3zcMIp","isFailure":true,"failureReason":"other","resultCode":403,"resultBody":"{\"message\":\"Missing Authentication Token\"}"}
. Is this related to the API tokens on Sanity? It only happens on the production dataset.
AI Update

The error you're seeing - "Missing Authentication Token" with a 403 status code - is not related to Sanity API tokens. This is actually coming from your webhook's destination endpoint, not from Sanity itself.

Here's what's happening: Sanity is successfully sending the webhook request, but the receiving endpoint (likely an AWS API Gateway based on that error message) is rejecting it because it expects authentication that isn't being provided.

Why it only happens in production

The most common reason this only occurs on your production dataset is that your production webhook is pointing to a different endpoint URL than your development webhook, or the production endpoint has different authentication requirements configured.

How to fix it

Check your webhook endpoint configuration:

  1. Go to sanity.io/manage, select your project, and navigate to the API section
  2. Find your webhook and verify the URL it's pointing to
  3. If it's an AWS API Gateway endpoint, check if the endpoint requires:
    • An API key (passed as x-api-key header)
    • AWS IAM authentication
    • A Lambda authorizer

Add authentication headers to your webhook:

When configuring your GROQ-powered webhook, you can add custom HTTP headers. If your endpoint requires an API key:

  1. Edit your webhook configuration
  2. Add a custom header like x-api-key: your-api-key-here
  3. Save and test again

Alternative: Remove authentication requirement

If this endpoint should be publicly accessible (common for webhooks), you may need to configure your API Gateway to allow unauthenticated requests for this specific route.

Testing tip

You can temporarily point your webhook to a service like webhook.site to verify that Sanity is successfully sending the payload. If that works, you'll know the issue is definitely with your receiving endpoint's authentication configuration, not with Sanity.

The key takeaway: Sanity webhooks themselves don't require authentication tokens to send - this error is your destination server asking for credentials that the webhook request isn't providing.

Show original thread
7 replies

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?