How to access Sanity Users API - "Robots are not allowed" error with token
<http://api.sanity.io/vX/access/projects/{projectId}/users|api.sanity.io/vX/access/projects/{projectId}/users>Sanity API Reference .I have created a token with all permissions enabled, but I am still unable to access the Users API.
The API is returning the error:
"Robots are not allowed."
I think I need to create a auth token to access this api
but I am not able to find documentation for it
Could someone please help me with this?
The "Robots are not allowed" error you're encountering with the Sanity Users API has been resolved! Here's what happened and how to fix it:
What Was Happening
The Access API (which includes the Users endpoint at api.sanity.io/vX/access/projects/{projectId}/users) was initially configured to only accept personal user tokens, not robot tokens. This was an intentional restriction when the API was first released.
The Solution
Good news: As of January 17, 2025, the Sanity backend team pushed a change that now allows you to use robot tokens with the Access API.
How to Use It Now
You can now access the Users API with a standard robot token:
Create a robot token in your project's management console:
- Go to Settings → API → Tokens
- Click "Add new token"
- Give it appropriate permissions
- Copy the token (it's only shown once!)
Use the correct API version - Replace
vXwith an actual API version likev2025-01-09(format:vyyyy-mm-dd)Make your request with the robot token:
curl -H "Authorization: Bearer YOUR_ROBOT_TOKEN" \
https://YOUR_PROJECT.api.sanity.io/v2025-01-09/access/projects/YOUR_PROJECT_ID/usersAlternative: Personal Token (If Needed)
If for some reason you still need to use a personal token, you can get yours by running:
sanity debug --secretsLook for the "Auth token" value under "Authentication". However, this is no longer necessary since robot tokens now work with the Access API.
Important Notes
- Make sure you're using a dated API version (like
v2025-01-09), notvX,v2, orv3 - Robot tokens are the recommended approach for programmatic access
- Store your tokens securely as environment variables, never commit them to version control
- The Access API documentation provides full details on available endpoints
About Robot vs Personal Tokens
As explained in the Sanity authentication documentation:
- Personal tokens are tied to your user account and give complete access as your user. They last for one year (shorter with SAML SSO)
- Robot tokens are dedicated tokens for applications with specific permissions. They last until deleted and are the recommended approach for programmatic access
- Not all APIs allow robot tokens, but the Access API now does!
The issue has been resolved at the platform level, so you should now be able to access the Users API with your robot token without any "Robots are not allowed" errors!
Show original thread12 replies
Was this answer helpful?
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.
