Using tokens to deploy APIs

Not that I am aware of. You may need to create a small app in-front to proxy these requests.

Thanks Wes. Looks like custom access control is actually an enterprise feature https://www.sanity.io/docs/access-control

Ah, well, if you need to use the other enterprise features too it may be worth getting it. Personally I would just spend a little extra time writing a small-app to manage it 🙂 . I wish the enterprise features were sold separately as the price jump is insane.

You do have the option of creating a token with the "Deploy studio" role, which will let you deploy both studios and GraphQL APIs.

Hi @U9ZAZ2E9G that sounds really useful! I see Administrator, Read+Write , and Read roles in both the GUI and CLI. How can I tap into this deploy studio role magic? I’ve been really appreciating your help today!

🤦 I think have figured it out - using a deploy studio token via the api settings. 🎉

Yep, that's it 🙂 You'll have to use SANITY_AUTH_TOKEN=<token> sanity graphql deploy to use it

🤦 I think have figured it out - using a deploy studio token via the api settings. 🎉

Yep, that's it 🙂 You'll have to use SANITY_AUTH_TOKEN=<token> sanity graphql deploy to use it

Non-admin API deployment permissions and dataset-specific access contro...

Get help on Discord

9 replies

Last updated: Nov 30, 2025

So many questions today 😆 .
I am collaborating with another dev on a project and I’d like them to be able to deploy the api but:
1. I don’t necessarily want to add them as an administrator - is there a non-admin role, or some kind of auth token they can use to deploy the api?
2. Can I specify which datasets they can deploy for (e.g. only development and not production)?
Thanks!

AI Update

Great questions! Let me break down the deployment permissions for GraphQL APIs (and Studio deployment):

1. Non-admin roles for deploying

Unfortunately, only users with the Administrator role can deploy the GraphQL API using sanity graphql deploy. According to the CLI errors documentation, if you try to run this command with only Write or Read+Write access, you'll get an "Unauthorized" error.

However, there is a workaround using deploy tokens:

You can create a robot token (API token) with Administrator permissions specifically for deployment purposes. Your collaborator can use this token to deploy without being added as a full Administrator:

# Set the token as an environment variable
export SANITY_AUTH_TOKEN=your-deploy-token

# Then run the deploy command
sanity graphql deploy

To create a deploy token:

Go to sanity.io/manage or run npx sanity manage
Navigate to API → Tokens
Create a new robot token with Administrator permissions
Share this token securely with your collaborator (use environment variables, never commit it to code!)

This approach is mentioned in the schema deployment docs and follows the same pattern for other deployment commands like sanity schema deploy.

2. Dataset-level deployment restrictions

Unfortunately, you cannot restrict GraphQL deployment to specific datasets at the permission level. The Administrator role (or deploy token with Admin permissions) grants access to deploy for all datasets in the project.

Workarounds:

Use separate projects for production vs. development environments, each with their own access controls
Implement a CI/CD pipeline that controls which datasets get deployed based on branch/environment
Use custom roles (Enterprise feature) to restrict overall dataset access, though this won't specifically limit deployment permissions

The sanity graphql deploy command does support a --dataset <name> flag to specify which dataset to deploy for, but the permission to run the command itself is all-or-nothing at the project level.

Hope this helps! The deploy token approach is probably your best bet for controlled deployment access without full Administrator privileges.

Show original thread

9 replies

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for free Explore the demo

Using tokens to deploy APIs

1. Non-admin roles for deploying

2. Dataset-level deployment restrictions

Sanity – Build the way you think, not the way your CMS thinks

Was this answer helpful?