The paywall was fake. Here's how I fixed it.
Day 2: a real paywall without a backend — how HMAC signatures replace a database.
Yesterday's paywall was a lie.
It looked real — purple block, lock icon, "supporters only" text. But if you opened the browser devtools, found the MDX source in the network tab, you could read everything. The block was cosmetic. The content was there.
That's fine for day one. You ship the shape of the thing, then make it real.
Day two was making it real.
I've built authentication before. That background made the architecture obvious quickly — I knew what I was looking for and could describe it to Claude precisely. But the approach itself is straightforward once you understand it. Here's the full explanation.
The rest is for supporters
Pay once, read everything — this post and whatever comes next.
What's inside
- →The Gumroad redirect flow — how a license key becomes a verified cookie
- →Why the original paywall was fake and how the content delivery actually changed
- →The dev bypass — testing the full unlock flow without touching Gumroad