Preview-Mode Access

Preview Mode lets reviewers experience the entire site—front-end through a single, time-limited URL. No WordPress accounts are created, no basic-auth prompts appear, and everything rides on the framework’s own API.

---

Quick Setup

Enable preview behaviour in your bootstrap script (for example, wp-config.php)

define('SITE_PREVIEW_ENABLED', true);

The framework auto-registers everything else; no further configuration is required.

---

Issuing a Preview Link

Use the built-in endpoint to mint a signed token and URL:

curl -X POST https://example.com/api/preview-token \
     -H "Authorization: Bearer <your-admin-api-key>" \
     -H "Content-Type: application/json"

Typical response:

{
  "previewUrl": "https://example.com/?prev=eyJleHAiOjE2OD…5fQ=="
}

The endpoint is protected by whatever API authentication you already have in place. The prev query string value is a signed token that expires after the time-to-live (TTL) you set in code.

---

How Reviewers Use the Link

• Share the previewUrl with your stakeholder.
• When they load the address, the framework verifies the token, plants a secure HTTP-only cookie, and serves the requested page.
• That cookie keeps them in preview mode for the rest of their browsing session until the token’s TTL elapses, at which point the site reverts to its normal “coming soon” behaviour.

---

Revocation and Rotation

• Rotate SITE_PREVIEW_TOKEN in .env at any time to invalidate all outstanding links.
• Adjust TTL in the URL-signing code to shorten or extend how long each link stays valid (default ≈ 2 h 23 m).
• Blacklist a single token early by adding a quick “revoked tokens” check before validation.

---

Security Notes

• Serve all preview traffic over HTTPS so tokens stay encrypted in transit.
• Keep the master SITE_PREVIEW_TOKEN private and rotate it on a schedule.
• Leave your usual firewall and security layers active; preview traffic passes through them like any other request.