Get help on Discord

Using tokens to deploy APIs

9 replies
Last updated: Feb 8, 2021
So many questions today 😆 .
I am collaborating with another dev on a project and I’d like them to be able to deploy the api but:
1. I don’t necessarily want to add them as an administrator - is there a non-admin role, or some kind of auth token they can use to deploy the api?
2. Can I specify which datasets they can deploy for (e.g. only development and not production)?
Thanks!
AI Update

Great questions! Let me break down the deployment permissions for GraphQL APIs (and Studio deployment):

1. Non-admin roles for deploying

Unfortunately, only users with the Administrator role can deploy the GraphQL API using sanity graphql deploy. According to the CLI errors documentation, if you try to run this command with only Write or Read+Write access, you'll get an "Unauthorized" error.

However, there is a workaround using deploy tokens:

You can create a robot token (API token) with Administrator permissions specifically for deployment purposes. Your collaborator can use this token to deploy without being added as a full Administrator:

# Set the token as an environment variable
export SANITY_AUTH_TOKEN=your-deploy-token

# Then run the deploy command
sanity graphql deploy

To create a deploy token:

  1. Go to sanity.io/manage or run npx sanity manage
  2. Navigate to API → Tokens
  3. Create a new robot token with Administrator permissions
  4. Share this token securely with your collaborator (use environment variables, never commit it to code!)

This approach is mentioned in the schema deployment docs and follows the same pattern for other deployment commands like sanity schema deploy.

2. Dataset-level deployment restrictions

Unfortunately, you cannot restrict GraphQL deployment to specific datasets at the permission level. The Administrator role (or deploy token with Admin permissions) grants access to deploy for all datasets in the project.

Workarounds:

  • Use separate projects for production vs. development environments, each with their own access controls
  • Implement a CI/CD pipeline that controls which datasets get deployed based on branch/environment
  • Use custom roles (Enterprise feature) to restrict overall dataset access, though this won't specifically limit deployment permissions

The sanity graphql deploy command does support a --dataset <name> flag to specify which dataset to deploy for, but the permission to run the command itself is all-or-nothing at the project level.

Hope this helps! The deploy token approach is probably your best bet for controlled deployment access without full Administrator privileges.

Show original thread
9 replies
Not that I am aware of. You may need to create a small app in-front to proxy these requests.
Thanks Wes. Looks like custom access control is actually an enterprise feature https://www.sanity.io/docs/access-control
Ah, well, if you need to use the other enterprise features too it may be worth getting it. Personally I would just spend a little extra time writing a small-app to manage it 🙂. I wish the enterprise features were sold separately as the price jump is insane.
You do have the option of creating a token with the "Deploy studio" role, which will let you deploy both studios and GraphQL APIs.
Hi
Espen Hovlandsdal
that sounds really useful! I see 
Administrator,
Read+Write
, and 
Read
roles in both the GUI and CLI. How can I tap into this 
deploy studio
role magic?
I’ve been really appreciating your help today!
🤦 I think have figured it out - using a 
deploy studio
token via the api settings. 🎉
Yep, that's it 🙂You'll have to use 
SANITY_AUTH_TOKEN=<token> sanity graphql deploy
to use it
🤦 I think have figured it out - using a 
deploy studio
token via the api settings. 🎉
Yep, that's it 🙂You'll have to use 
SANITY_AUTH_TOKEN=<token> sanity graphql deploy
to use it

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?