Preview‑Mode Access
Preview Mode lets reviewers browse the website through a single, time‑limited URL. No WordPress accounts are created, no basic‑auth prompts appear, and everything rides on the framework’s own API.
Quick Setup
Enable preview behaviour in your bootstrap script (e.g. wp-config.php):
php
define('SITE_PREVIEW_ENABLED', true);The framework auto‑registers everything else; no further configuration is required.
Issuing a Preview Link
Use the built‑in endpoint to mint a signed token and preview URL.
bash
curl -X POST https://api.example.com/preview-token \
-H "Authorization: Bearer <your-admin-api-key>" \
-H "Content-Type: application/json" \
-d '{"id":123,"ttl":3600}'Typical response:
json
{
"id": 123,
"time": 3600,
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…",
"note": "Default or maximum values were used for: ttl."
}Construct a reviewer link by appending the token to your front‑end domain:
https://example.com/?prev=<token>Preview‑Token API Reference
| Field | Type | Required | Description |
|---|---|---|---|
id | int | No | Resource/user identifier. Must be an integer ≥ 1. Defaults to 0 if missing or invalid. |
ttl | int | No | Token time‑to‑live (seconds). Defaults to 3600 s (1 hour) if missing or invalid. Maximum allowed is 604 800 s (7 days). |
Endpoint POST https://api.example.com/preview-token
Success Response
json
{
"id": <int>,
"time": <int>,
"token": "<string>",
"note": "<string, optional>"
}noteappears if the server applied a default or clampedttlto the 7‑day maximum.
Error Response (example)
json
{
"error": "Preview token secret not configured."
}How Reviewers Use the Link
- Share the
preview Urlwith your stakeholder. - When they load the address, the framework verifies the token, plants a secure HTTP‑only cookie, and serves the requested page.
- The cookie keeps them in preview mode for their browsing session until the token’s TTL elapses.
Revocation & Rotation
| Action | Effect |
|---|---|
Rotate SITE_PREVIEW_TOKEN | Immediately invalidates all outstanding preview links. |
Adjust ttl | Shorten or extend link validity (max 7 days). |
| Blacklist a specific token | Add its hash to a revocation table checked during validation. |
Security Notes
- The endpoint is already gated by your existing API key authentication.
- Serve all preview traffic over HTTPS so tokens stay encrypted in transit.
- Keep the master
SITE_PREVIEW_TOKENprivate and rotate it on a schedule. - Enforce the 7‑day TTL maximum; shorter is safer.
- Leave your usual firewall and security layers active—preview traffic passes through them like any other request.