Access Your Data (CORS)

Decide which domains may access your project data.

For security reasons, your project is configured to only respond to queries from localhost (i.e. your laptop) and the hostname you used when deploying (if you used sanity deploy). If you want to open your project to any other origins, you need to add the host-name to your allowed CORS origins (read more on the technicalities of CORS here).

Typical reasons you'd want to add a new CORS-origin include:

  1. You are using a non-default port when developing, so you'd open to http://localhost:<your port>
  2. You are deploying a front end, so you'd open to
  3. You are deploying a studio outside the Sanity infrastructure (i.e. not using the sanity deploy command)
  4. You want to try something out on JSfiddle, you'd open to

It s good practice to limit your origins to the smallest possible set, and never open a sensitive dataset to public playgrounds like JSFiddle. A JSFiddle example will be able to access projects you open to it with your credentials when you run it.

How to add a CORS origin

You do this from your management console at

  1. Pick your project from the list
  2. Go to Settings, and then to API
  3. Under CORS Origins click the Add new origin-button
  4. Enter the origin you want, stating explicitly the protocol, host name and port you want to allow traffic from. Wildcards are allowed. Use the following format: protocol://hostname[:port] (use * for wildcard)

    Some valid examples include:, https://*,, https://localhost:3333,


Allowing credentials from wildcard origins is dangerous. Any domain that matches the given pattern will be able to send requests on the users behalf if they are logged in to your studio. Tread carefully!

Was this article helpful?