Using tokens to deploy APIs
I am collaborating with another dev on a project and I’d like them to be able to deploy the api but:
1. I don’t necessarily want to add them as an administrator - is there a non-admin role, or some kind of auth token they can use to deploy the api?
2. Can I specify which datasets they can deploy for (e.g. only development and not production)?
Thanks!
Great questions! Let me break down the deployment permissions for GraphQL APIs (and Studio deployment):
1. Non-admin roles for deploying
Unfortunately, only users with the Administrator role can deploy the GraphQL API using sanity graphql deploy. According to the CLI errors documentation, if you try to run this command with only Write or Read+Write access, you'll get an "Unauthorized" error.
However, there is a workaround using deploy tokens:
You can create a robot token (API token) with Administrator permissions specifically for deployment purposes. Your collaborator can use this token to deploy without being added as a full Administrator:
# Set the token as an environment variable
export SANITY_AUTH_TOKEN=your-deploy-token
# Then run the deploy command
sanity graphql deployTo create a deploy token:
- Go to sanity.io/manage or run
npx sanity manage - Navigate to API → Tokens
- Create a new robot token with Administrator permissions
- Share this token securely with your collaborator (use environment variables, never commit it to code!)
This approach is mentioned in the schema deployment docs and follows the same pattern for other deployment commands like sanity schema deploy.
2. Dataset-level deployment restrictions
Unfortunately, you cannot restrict GraphQL deployment to specific datasets at the permission level. The Administrator role (or deploy token with Admin permissions) grants access to deploy for all datasets in the project.
Workarounds:
- Use separate projects for production vs. development environments, each with their own access controls
- Implement a CI/CD pipeline that controls which datasets get deployed based on branch/environment
- Use custom roles (Enterprise feature) to restrict overall dataset access, though this won't specifically limit deployment permissions
The sanity graphql deploy command does support a --dataset <name> flag to specify which dataset to deploy for, but the permission to run the command itself is all-or-nothing at the project level.
Hope this helps! The deploy token approach is probably your best bet for controlled deployment access without full Administrator privileges.
Show original thread9 replies
Was this answer helpful?
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.
