Access Your Data (CORS)

For security reasons, your project is configured to only respond to queries from localhost (i.e. your laptop) and the hostname you used when deploying (if you used sanity deploy). If you want to open your project to any other origins, you need to add the host-name to your allowed CORS origins (read more on the technicalities of CORS here).

Typical reasons you'd want to add a new CORS-origin include:

  1. You are using a non-default port when developing, so you'd open to http://localhost:<your port>
  2. You are deploying a front end, so you'd open to
  3. You are deploying a studio outside the Sanity infrastructure (i.e. not using the sanity deploy command)
  4. You want to try something out on JSfiddle, you'd open to

It s good practice to limit your origins to the smallest possible set, and never open a sensitive dataset to public playgrounds like JSFiddle. A JSFiddle example will be able to access projects you open to it with your credentials when you run it.

How to add a CORS origin

You do this from your management console at

  1. Pick your project from the list
  2. Go to Settings
  3. Under CORS Origins click the Add new origin-button
  4. Enter the origin you want, stating explicitly exactly the protocol, host name and port you want to allow traffic from. Some valid examples include:,, https://localhost:3333.

IDN-domains and CORS has known issues in Internet Explorer and Microsoft Edge (now fixed). See details at

Previous: The Vision PluginNext: Minimal Example