Media Library

Asset visibility

Control asset access using visibility settings and enable secure delivery using signed URLs.

Asset visibility controls how individual assets like images and files can be accessed from Sanity’s Content Delivery Network (CDN). This feature ensures Media Library can securely manage confidential assets, embargoed launches, and other sensitive or licensed materials.

  • Public: Anyone with the asset's URL or identifier can request and view it.
  • Private: Access is restricted to authenticated Media Library and Studio users. External controlled access can be granted using signed URLs.

Video assets

Private visibility is not yet available for video assets. Uploaded videos are public, so plan your use of video content with this in mind.

Updating asset visibility

Screenshot of the Media Library showing the visibility switcher
  • Select the asset in Media Library.
  • In the asset sidebar, select the visibility indicator. If the asset is public, it will display Public with a globe icon. If the asset is private, it will display Private with a lock icon.
  • Select the desired visibility from the list in the popover.

Note that switching visibility does not require a Publish action for changes to take affect.

Setting asset visibility

By default, assets are uploaded with public visibility. To change this for your session, select Upload at the top of the asset grid and use the visibility switcher in the upload modal before uploading.

Media library interface with a Upload modal open, showing the visibility switcher affordance for setting the visibility of assets as they are uploaded.

Caching and propagation

When switching an asset's visibility from public to private, the CDN may continue serving cached responses for up to 30 days. To minimize exposure, set sensitive assets to private before upload.

Signed URLs

Signed URLs provide a secure way to deliver private assets through Sanity's CDN. Each URL includes a signature that both validates access and ensures the asset is served only with the exact transformations specified in the URL. This prevents unauthorized use, hotlinking, and unapproved image manipulation.

To display images with private visibility using signed URLs, the @sanity/image-url package exports an extended image URL builder with signing methods via the @sanity/image-url/signed export path.

For non-image assets such as PDFs and audio files, use the lower level @sanity/signed-urls package to create a signed version of a given asset URL.

Check the READMEs of both packages for more details on signing URLs.

Signing keys

Signing URLs using the above packages requires providing a private key and an associated key ID to whichever helper functions you are using. Signing keys are managed in the Media Library itself:

  • At the top of the left panel, click the Media Library dropdown.
  • Select Signing keys
Media library interface with a "Signing keys" modal open, listing keys for marketing, mobile, and web applications, and a button to add a new key.

Previous

Link assets to documents

Next

Working with video

Was this page helpful?