Supporters only
The paywall was fake. Here's how I fixed it.
Day 2: a real paywall without a backend — how HMAC signatures replace a database, and what broke along the way.
Yesterday's paywall was a lie.
It looked real — purple block, lock icon, "supporters only" text. But if you opened the browser devtools, found the MDX source in the network tab, you could read everything. The block was cosmetic. The content was there.
That's fine for day one. You ship the shape of the thing, then make it real.
Day two was making it real. Then day seven was debugging why it wasn't quite real yet.
The rest is for supporters
Pay once, read everything — this post and whatever comes next.
What's inside
- →Why the original paywall was fake and how the content delivery actually changed
- →The /unlock page — manual key entry instead of Gumroad redirect
- →The API bug that took one request to find: product_id vs product_permalink
- →How unlock count is tracked in Redis with zero extra infrastructure