Resolving access issues with Sanity's Users API using user tokens

12 replies
Last updated: Jan 17, 2025
Hi All,I am using the following API:

<http://api.sanity.io/vX/access/projects/{projectId}/users|api.sanity.io/vX/access/projects/{projectId}/users>
This is as per the documentation:
Sanity API Reference .I have created a token with all permissions enabled, but I am still unable to access the Users API.
The API is returning the error:
"Robots are not allowed."

I think I need to create a auth token to access this api
but I am not able to find documentation for it

Could someone please help me with this?
Jan 9, 2025, 10:13 PM
are you changing
vX
to the actual api version which would be
vyyyy-mm-dd
aka
v2025-01-09
Jan 9, 2025, 11:59 PM
the auth tokens you create in your dashboard in sanity.io -&gt; project -&gt; api -&gt; tokens.
Jan 10, 2025, 12:08 AM
you know what. I just tried this myself and I also cant access the api endpoint. with the same error. I tried all 3 token types and several api versions including
vX
,
v2
,
v3
,
v2025-01-09
. and still got the same 403 forbidden error
{"statusCode":403,"error":"Forbidden","message":"Robots are not allowed"}
which makes me think that maybe either A this is not public yet or B it requires CORS from an actual domain and not localhost for it to work.
Jan 10, 2025, 12:31 AM
also even trying this using the
test request
feature on this page results in the same error.
Jan 10, 2025, 12:35 AM
That error means the API cannot be authorized with a robot token. It needs the token of a user. I’m not sure why that’s the case, but I looked at the code and it was an intentional choice.
Jan 10, 2025, 12:40 AM
hmm maybe its legacy from the CLI? since the cli would have the logged in user token?
Jan 10, 2025, 12:42 AM
No, because this endpoint is new (still in beta).
Jan 10, 2025, 12:43 AM
interesting.
Jan 10, 2025, 12:44 AM
Oh, wait. The use of OpenAPI is what’s in beta—not the API itself (though it is new).
Jan 10, 2025, 12:44 AM
ok got it working with that knowledge. at first I was like “how are we suppose to get the users secret without building our own auth” but sanity came through with a cli command. with your logged in user you can issue
sanity debug --secrets
which will dump your user token. Now the api works and gets me a list of all users. But I assume this is really for enterprise people who build their own SSO.
Jan 10, 2025, 1:15 AM
user M
I did same thing it worked for me aswell
but i think keeping this secrete key in env is not good idea
Jan 10, 2025, 12:26 PM
Hi all. The backend team just pushed a change and you should now be able to use a robot token with the Access API.
Jan 17, 2025, 3:11 PM

Sanity– build remarkable experiences at scale

Sanity is a modern headless CMS that treats content as data to power your digital business. Free to get started, and pay-as-you-go on all plans.

Was this answer helpful?