Whitelisting Sanity Webhook origin in a staging environment.
Great question about webhook security! When setting up firewall rules for Sanity webhooks in your staging environment, here's what you need to know:
IP Whitelisting
Sanity webhooks are sent from a specific set of IP addresses that you can whitelist in your firewall. The current IP addresses are:
34.79.12.22935.205.99.11635.190.215.189
You can find the latest list at https://www.sanity.io/files/webhooks-egress-ips.txt.
While https://api.sanity.io is the domain webhooks originate from conceptually, for firewall allowlisting you'll want to use these specific IP addresses rather than trying to resolve the domain, as that would be less reliable for security configurations.
Additional Security Recommendations
Beyond IP whitelisting, Sanity's webhook best practices recommend implementing additional security measures:
- Secret Verification: Configure a secret token in your webhook settings and verify it in the request headers
- Signature Verification: Use the webhook toolkit to verify webhook signatures and ensure payload integrity
- Idempotency: Check the
idempotency-keyheader to handle duplicate deliveries gracefully
This layered approach (IP allowlist + secret verification + signature verification) provides robust security for your webhook endpoint.
Sanity – Build the way you think, not the way your CMS thinks
Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.