Keeping your data safe
Best practices for access token security.
An access token (also known as a robot token) is a credential that can give access to read or write data to a Sanity project. You can read more about access control and tokens in the authentication docs.
Access tokens are project-specific and you can create them from the project settings in the management console.
Access tokens should not be confused with user tokens, which is a personal token that identifies a logged in user and is generated at the time the user logs in.
As a rule of thumb, you should:
- Never commit access tokens to public code repositories or open source projects.
- Never share access tokens through unsecured or public channels.
Be extra careful with access tokens that grant write access to your data. Everyone with access to that token can delete all of your data.
If you find that your token has been leaked or accidentally made public, you should consider it forever lost and delete it immediately, no matter how quickly you manage to make it private again.
To delete a token, go to the management console at https://manage.sanity.io, select your project, and navigate to project settings. From there, select the API settings and delete the token in question.
If you want users of your website or app to be able to submit data, we recommend creating a small proxy server or cloud function that validates the received data, transforms it to a Sanity document and submits it using a sanity client that is configured with a token that has write access to the dataset.
When creating datasets, you may choose whether it should be:
- Public - everyone can query for content in the dataset without being authorized - great for single page applications
- Private - only authenticated users or requests with authorization tokens can read from the dataset
You may change the visibility mode for your dataset either by running
sanity dataset visibility set <datasetName> <public/private> or by using the management console at https://manage.sanity.io/
Asset files are not private, so even images uploaded to a private dataset can be viewed by unauthenticated users.
Private datasets can be cached in our API Content Delivery Network (API CDN), it is cached with your access token as the key.
See API CDN documention for details.
Customers with the custom access control feature can specify fine-grained rules for configuring which users can create, delete and update documents. See the access control documentation for details.
To avoid this, you could consider:
- Making the backend fetch the data from the Sanity APIs, filtering out only the data that should be available to the general public.
If you are making a frontend for a private intranet, make sure that also static assets are served only to authorized users as long as it includes an access token.