Public datasets in Sanity: Read vs Write access with tokens?
That's correct! A public dataset in Sanity means public read access only. Write operations always require authentication via a token.
Here's how it breaks down:
Public Read Access means anyone can query and fetch content from your dataset without authentication. This is useful for delivering published content to your website visitors. However, even with a public dataset, certain operations still require a token:
- Accessing draft documents (documents with
.in their IDs likedrafts.article-123) - Using the
previewDraftsperspective in GROQ queries - Accessing any document marked as private based on custom roles
Write Access Always Requires a Token - there's no such thing as "public write access" in Sanity. Any operation that creates, updates, or deletes content requires authentication with an API token that has appropriate permissions.
This is a critical security feature. Even if your dataset is public for reading, you maintain complete control over who can modify your content. For write operations, you should use robot tokens (for production) or personal tokens (for development), and these should never be exposed in client-side code. Instead, implement write operations through:
- Server-side code or API routes
- Serverless functions (like Sanity Functions)
- Backend services where the token stays secure
So yes, your understanding is spot on: public datasets = public read only, write always requires a token with appropriate permissions.
Show original thread2 replies
Was this answer helpful?
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.
