🔮 Sanity Create is here. Writing is reinvented. Try now, no developer setup

XMLHttpRequest Blocked by CORS Policy

3 replies
Last updated: Apr 17, 2021
Do you know why I might be getting CORS issue using @sanity/client?
Access to XMLHttpRequest at ‘https://projectId.api.sanity.io/v1/data/query/production?query=*%5B_id%20%3D%3D%20%22d3f9be2c-d6f1-4e13-921e-aad11bdbe554%22%5D%20%20%7B%0A%20%20%20%20...%2C%0A%20%20%7D ’ from origin ‘https://my-domain ’ has been blocked by CORS policy: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
I have added this domain as described here https://www.sanity.io/docs/cors
Apr 16, 2021, 7:22 PM
Sounds like you might have defined a token when instantiating the client?
That's generally not recommended unless this is for an intranet-solution or something behind another layer of authentication, since the token will be visible to anyone on that page.

If it
is intentional, you need to check the "Allow credentials" checkbox when creating the CORS origin
Apr 16, 2021, 7:33 PM
user Z
thanks for help. I don’t think I have added a token 🤔 This is how it looks on the client side:
Apr 17, 2021, 6:29 AM
I think I found the issue, I had to change the API settings to allow credentials on this domain
Apr 17, 2021, 10:27 AM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?