loke.dev
A content update signal travelling from a CMS through a secure webhook into a fast global edge cache

Revalidate Sanity Content on Astro and Cloudflare

Use a signed Sanity webhook to trigger an Astro deployment, purge affected Cloudflare cache paths, and warm the reader-facing pages.

Published By Loke2 min read

A fast Astro site should not fetch Sanity on every page view just to reflect an edit. Use a signed webhook to tell the site that content changed, then make the deployment and cache layers converge on the new version.

Use a small, observable pipeline

The webhook is an event, not the content delivery mechanism. Verify it at an Astro endpoint, trigger the build or deployment action, wait until the new version is available, purge only the affected public paths, and optionally request those paths once to warm the edge cache.

Sanity publishSigned webhookDeploy and targeted purgeWarm reader paths
A verified content event changes public pages in a controlled order: authenticate, deploy, purge targeted paths, then warm them.

Verify the webhook before any side effect

Sanity supports signed webhooks. Read the raw request body once, verify its signature with a server-side secret, and reject invalid requests before dispatching a deploy or calling a Cloudflare API. Do not trust a document ID or path supplied by an unverified request.

export const POST: APIRoute = async ({ request }) => {
  const rawBody = await request.text()
  if (!(await isValidSignature(rawBody, request.headers, secret))) {
    return new Response('Unauthorized', { status: 401 })
  }
  // Trigger deployment, then purge known public paths.
  return Response.json({ ok: true })
}

Map document changes to public paths

A post change usually affects its article URL, the blog index, related topic or author pages, RSS, and the sitemap. Keep this mapping in code and default to a safe small set when the webhook payload lacks enough detail. Avoid a whole-zone purge for ordinary editorial changes.

Deploy before purging

Purging first can make readers hit the previous deployment while the build is still running. Trigger the deployment, wait for a successful result, then purge and warm the public paths. Record the delivery ID, deployment result, purged URLs, and failures so retries are idempotent.

Verify the reader path

curl -i https://example.com/blog/example-slug
curl -i https://example.com/blog
curl -i https://example.com/sitemap.xml

This keeps reader requests fast and makes updates event-driven. The important boundary is simple: authenticate the event, deploy the content, then invalidate only the caches that can still serve the old page.

For the architecture behind this flow, see fast Astro builds without request-time Sanity fetches.

Reproduce the example

Open the repository

Reference: src/pages/api/revalidate.ts and src/lib/revalidate.server.ts

npm install
Send a signed test webhook and confirm the deployed page returns the updated content.

Sources and further reading

  1. GROQ-powered webhooks · Sanity
  2. Endpoints · Astro
  3. Purge cache · Cloudflare