Get help on Discord

Resolving access issues with Sanity's Users API using user tokens

12 replies
Last updated: Jan 17, 2025
Hi All,I am using the following API:

<http://api.sanity.io/vX/access/projects/{projectId}/users|api.sanity.io/vX/access/projects/{projectId}/users>
This is as per the documentation:
Sanity API Reference .I have created a token with all permissions enabled, but I am still unable to access the Users API.
The API is returning the error:
"Robots are not allowed."

I think I need to create a auth token to access this api
but I am not able to find documentation for it

Could someone please help me with this?
AI Update

The "Robots are not allowed" error you're encountering with the Sanity Users API has been resolved! Here's what happened and how to fix it:

What Was Happening

The Access API (which includes the Users endpoint at api.sanity.io/vX/access/projects/{projectId}/users) was initially configured to only accept personal user tokens, not robot tokens. This was an intentional restriction when the API was first released.

The Solution

Good news: As of January 17, 2025, the Sanity backend team pushed a change that now allows you to use robot tokens with the Access API.

How to Use It Now

You can now access the Users API with a standard robot token:

  1. Create a robot token in your project's management console:

    • Go to Settings → API → Tokens
    • Click "Add new token"
    • Give it appropriate permissions
    • Copy the token (it's only shown once!)

  2. Use the correct API version - Replace vX with an actual API version like v2025-01-09 (format: vyyyy-mm-dd)

  3. Make your request with the robot token:

curl -H "Authorization: Bearer YOUR_ROBOT_TOKEN" \
  https://YOUR_PROJECT.api.sanity.io/v2025-01-09/access/projects/YOUR_PROJECT_ID/users

Alternative: Personal Token (If Needed)

If for some reason you still need to use a personal token, you can get yours by running:

sanity debug --secrets

Look for the "Auth token" value under "Authentication". However, this is no longer necessary since robot tokens now work with the Access API.

Important Notes

  • Make sure you're using a dated API version (like v2025-01-09), not vX, v2, or v3
  • Robot tokens are the recommended approach for programmatic access
  • Store your tokens securely as environment variables, never commit them to version control
  • The Access API documentation provides full details on available endpoints

About Robot vs Personal Tokens

As explained in the Sanity authentication documentation:

  • Personal tokens are tied to your user account and give complete access as your user. They last for one year (shorter with SAML SSO)
  • Robot tokens are dedicated tokens for applications with specific permissions. They last until deleted and are the recommended approach for programmatic access
  • Not all APIs allow robot tokens, but the Access API now does!

The issue has been resolved at the platform level, so you should now be able to access the Users API with your robot token without any "Robots are not allowed" errors!

are you changing 
vX
to the actual api version which would be 
vyyyy-mm-dd
aka 
v2025-01-09
the auth tokens you create in your dashboard in sanity.io -&gt; project -&gt; api -&gt; tokens.
you know what. I just tried this myself and I also cant access the api endpoint. with the same error. I tried all 3 token types and several api versions including 
vX
,
v2
,
v3
,
v2025-01-09
. and still got the same 403 forbidden error
{"statusCode":403,"error":"Forbidden","message":"Robots are not allowed"}
which makes me think that maybe either A this is not public yet or B it requires CORS from an actual domain and not localhost for it to work.
also even trying this using the 
test request
feature on this page results in the same error.
That error means the API cannot be authorized with a robot token. It needs the token of a user. I’m not sure why that’s the case, but I looked at the code and it was an intentional choice.
hmm maybe its legacy from the CLI? since the cli would have the logged in user token?
No, because this endpoint is new (still in beta).
interesting.
Oh, wait. The use of OpenAPI is what’s in beta—not the API itself (though it is new).
ok got it working with that knowledge. at first I was like “how are we suppose to get the users secret without building our own auth” but sanity came through with a cli command. with your logged in user you can issue 
sanity debug --secrets
which will dump your user token. Now the api works and gets me a list of all users. But I assume this is really for enterprise people who build their own SSO.
user M
I did same thing it worked for me aswell
but i think keeping this secrete key in env is not good idea
Hi all. The backend team just pushed a change and you should now be able to use a robot token with the Access API.

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?