Get help on Discord

Using token authentication for Sanity CLI login

22 replies
Last updated: Jul 28, 2020
Hello. We are looking to use an automated system for deploying GraphQL schemas and studio, but we have some problems logging in to the CLI tool. Is it possible to use a token for logging in, or is it another method?
AI Update

Yes, it is absolutely possible to use a token for logging in to the Sanity CLI for automated deployments! This is actually the recommended approach for CI/CD environments.

Using Authentication Tokens

For automated systems like CI/CD pipelines, you should use the SANITY_AUTH_TOKEN environment variable instead of interactive login. Here's how:

1. Create a Deploy Token

First, create a deploy token in your Sanity project management dashboard. Navigate to your project settings to generate a token with appropriate permissions.

2. Set the Environment Variable

In your CI/CD environment, set the SANITY_AUTH_TOKEN environment variable with your token:

SANITY_AUTH_TOKEN=<your-deploy-token> sanity deploy

Or for schema deployment:

SANITY_AUTH_TOKEN=<your-deploy-token> sanity schema deploy

3. CI/CD Configuration Example

For automated deployments, you can configure your workflow like this:

// sanity.cli.ts
import {defineCliConfig} from 'sanity/cli'

export default defineCliConfig({
  api: {
    projectId: process.env.SANITY_STUDIO_PROJECT_ID,
    dataset: process.env.SANITY_STUDIO_DATASET,
  },
  studioHost: process.env.SANITY_STUDIO_HOSTNAME
})

Then in your CI/CD pipeline, ensure these environment variables are set:

  • SANITY_AUTH_TOKEN - Your deploy token (for authentication)
  • SANITY_STUDIO_PROJECT_ID - Your project ID
  • SANITY_STUDIO_DATASET - Your dataset name
  • SANITY_STUDIO_HOSTNAME - Your studio hostname (optional, for deployment)

Why Use Tokens?

According to the Sanity deployment documentation, the sanity deploy command normally uses your local user session for authentication, which won't be available in CI/CD workflows. The SANITY_AUTH_TOKEN environment variable solves this by providing programmatic authentication.

Common Use Cases

This token-based authentication works for:

  • Deploying Sanity Studio (sanity deploy)
  • Deploying GraphQL schemas (sanity graphql deploy)
  • Running migrations
  • Any other CLI operations that require authentication

The token-based authentication is secure and allows you to grant specific permissions without sharing user credentials. You can manage and revoke these tokens through your project settings at any time.

Show original thread
22 replies
Hi User, you can create a deploy token for this purpose. To do so, go to your project on manage.sanity.io and then Settings &gt; API &gt; Tokens &gt; Add new token - make sure to choose “Deploy token” under rights 🙂
Hi again
user M
, thank you for the reply. Where would we use this token when we need to log in?
Are you able to set it up as an environment variable in your pipeline? What are you using for automation?
We are trying to use Octopus. We added the token to the environmental variables but we can't figure out how to use the token to log us in to the CLI tool, so we can use commands like 
sanity deploy
, 
sanity graphql deploy
automatically.
Try running the commands as follows:
SANITY_AUTH_TOKEN=<token> sanity <command>
(Using the relevant env var for your token)
Thank you very much
user M
! 😃
user M
It does not seem to work, unfortunately. When we try to provide the SANITY_AUTH_TOKEN before the sanity command it doesn't recognize it as a command, and when we provide it after the command it gives an error saying we have to use 
sanity login
.Is there an argument option to provide token, say 
sanity graphql list --token SANITY_AUTH_TOKEN=<token>
?
As an alternative, does the following approach produce any different results for you?
sanity <command> --with-user-token
user M
this error message is returned, I've tried a few different variations of the command you sent. I am currently just trying the commands in my personal terminal logged out to replicate the CI environment.
Could you try creating a Read+Write token and running the commands with that one locally to test?
By for example running 
sanity graphql list --with-user-token <token>
?If so, it returned the same error message as above.
And this one with the R+W token?
SANITY_AUTH_TOKEN=<token> sanity <command>
Could you try creating a Read+Write token and running the commands with that one locally to test?
The term 'SANITY_AUTH_TOKEN=<token> is not recognized as the name of a cmdlet, function, script file, or operable program.
When I ran 
SANITY_AUTH_TOKEN=<token> sanity <command>
with the R+W token as the &lt;token&gt;.
That’s usually an issue with the path variable. I guess you’re running PowerShell?
Okey, do you suggest that I should configure the path variable to sanity? Do you have any documentation to set it up correctly?
user M
would love to know if you guys have any idea how to setup this in our CD environment with Powershell.I've tried a few variations in Powershell, like using 
$
in front of the 
$SANITY_AUTH_TOKEN
. Would also be nice to see some more documentation on this topic in the future. 🙂Cheers
🤓
Absolutely, User, we should give some attention to documenting CI/CD flows in general. It’s too confusing right now and there a bunch of different options each with specific challenges, mostly around authentication though.
Unfortunately I’ve never used PowerShell myself, so I can only assist from the sidelines here. I’ve seen it being a path variable issue, at least when that error message you shared above occurs. However, it usually throws the error for any 
sanity <command>
in that case, not specifically for the 
SANITY_AUTH_TOKEN=
portion. I’d be happy to check with the team to see if anyone’s more familiar with PS.
That would be lovely
user M
, thanks.Note that I'm not seeing the 
not recognized
error message when not using the 
SANITY_AUTH_TOKEN
in front of the command.
user M
I figured it out. In Powershell you have to define the environment variable like so: 
$env:SANITY_AUTH_TOKEN=<token> ; sanity <command>
and notice the 
;
to separate the command from setting the variable. I was inspired by this Stack Overflow answer: https://stackoverflow.com/a/1422082 .Thanks for all the help
🤓
This is awesome,
user M
! I’ll note this in bold for when we write up those docs on CI/CD. Thanks for sharing the solution - great catch 🎉
This is awesome,
user M
! I’ll note this in bold for when we write up those docs on CI/CD. Thanks for sharing the solution - great catch 🎉

Sanity – Build the way you think, not the way your CMS thinks

Sanity is the developer-first content operating system that gives you complete control. Schema-as-code, GROQ queries, and real-time APIs mean no more workarounds or waiting for deployments. Free to start, scale as you grow.

Get started for freeExplore the demo

Was this answer helpful?