Get help on Discord

Issue with GROQ-powered webhook and missing authentication token in API call

7 replies
Last updated: Aug 10, 2023
I have created a GROQ-powered webhook, but when I publish a document to trigger it I get the error: 
"hookId":"LBazGCoTp3zcMIp","isFailure":true,"failureReason":"other","resultCode":403,"resultBody":"{\"message\":\"Missing Authentication Token\"}"}
. Is this related to the API tokens on Sanity? It only happens on the production dataset.
AI Update

The error you're seeing - "Missing Authentication Token" with a 403 status code - is not related to Sanity API tokens. This is actually coming from your webhook's destination endpoint, not from Sanity itself.

Here's what's happening: Sanity is successfully sending the webhook request, but the receiving endpoint (likely an AWS API Gateway based on that error message) is rejecting it because it expects authentication that isn't being provided.

Why it only happens in production

The most common reason this only occurs on your production dataset is that your production webhook is pointing to a different endpoint URL than your development webhook, or the production endpoint has different authentication requirements configured.

How to fix it

Check your webhook endpoint configuration:

  1. Go to sanity.io/manage, select your project, and navigate to the API section
  2. Find your webhook and verify the URL it's pointing to
  3. If it's an AWS API Gateway endpoint, check if the endpoint requires:
    • An API key (passed as x-api-key header)
    • AWS IAM authentication
    • A Lambda authorizer

Add authentication headers to your webhook:

When configuring your GROQ-powered webhook, you can add custom HTTP headers. If your endpoint requires an API key:

  1. Edit your webhook configuration
  2. Add a custom header like x-api-key: your-api-key-here
  3. Save and test again

Alternative: Remove authentication requirement

If this endpoint should be publicly accessible (common for webhooks), you may need to configure your API Gateway to allow unauthenticated requests for this specific route.

Testing tip

You can temporarily point your webhook to a service like webhook.site to verify that Sanity is successfully sending the payload. If that works, you'll know the issue is definitely with your receiving endpoint's authentication configuration, not with Sanity.

The key takeaway: Sanity webhooks themselves don't require authentication tokens to send - this error is your destination server asking for credentials that the webhook request isn't providing.

Looks like you will need to pass in the API token in the API call :
--header 'Authorization: Bearer ${token}'
Can you check to see if you are doing so correctly?
I am not. What kind of token do I have to create?
I would recommend taking a look at this doc and follow the guidance there on how to get the token.
Thanks, I’ll try this. I’m confused why an auth token is only required when dealing with a production dataset (staging and dev didn’t require one). Do you know where I can see the settings for this?
Ah, I see it’s related to the dataset visibility.
Are you able to make the request work now with a token?
yes, it works as expected, thanks.

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?