Media Library
Asset visibility
Control asset access using visibility settings and enable secure delivery using signed URLs.
Asset visibility controls how individual assets like images and files can be accessed from Sanity’s Content Delivery Network (CDN). This feature ensures Media Library can securely manage confidential assets, embargoed launches, and other sensitive or licensed materials.
- Public: Anyone with the asset's URL or identifier can request and view it.
- Private: Access is restricted to authenticated Media Library and Studio users. External controlled access can be granted using signed URLs.
Video assets
Private visibility is not yet available for video assets. Uploaded videos are public, so plan your use of video content with this in mind.
Updating asset visibility
- Select the asset in Media Library.
- In the asset sidebar, select the visibility indicator. If the asset is public, it will display Public with a globe icon. If the asset is private, it will display Private with a lock icon.
- Select the desired visibility from the list in the popover.
Note that switching visibility does not require a Publish action for changes to take affect.
Setting asset visibility
By default, assets are uploaded with public visibility. To change this for your session, select Upload at the top of the asset grid and use the visibility switcher in the upload modal before uploading.
Loading...
Caching and propagation
When switching an asset's visibility from public to private, the CDN may continue serving cached responses for up to 30 days. To minimize exposure, set sensitive assets to private before upload.
Signed URLs
Signed URLs provide a secure way to deliver private assets through Sanity's CDN. Each URL includes a signature that both validates access and ensures the asset is served only with the exact transformations specified in the URL. This prevents unauthorized use, hotlinking, and unapproved image manipulation.
To display images with private visibility using signed URLs, the @sanity/image-url package exports an extended image URL builder with signing methods via the @sanity/image-url/signed export path.
For non-image assets such as PDFs and audio files, use the lower level @sanity/signed-urls package to create a signed version of a given asset URL.
Check the READMEs of both packages for more details on signing URLs.
Signing keys
Signing URLs using the above packages requires providing a private key and an associated key ID to whichever helper functions you are using. Signing keys are managed in the Media Library itself:
- At the top of the left panel, click the Media Library dropdown.
- Select Signing keys
Loading...
