Headless CMS Integration Patterns

Draft State Management in Headless CMS Frontends

Draft state management is the discipline of surfacing unpublished content to authorized reviewers without poisoning production caches or leaking drafts to public endpoints. It needs strict query segmentation, deterministic routing, and cache isolation — done right, it preserves static/edge performance while enabling fluid editorial review. It sits at the center of Preview & Draft Workflow Patterns, where state boundaries directly shape developer velocity and content delivery SLAs.

The draft/publish boundary

A request resolves down one of two never-intersecting paths, decided by the state signal it carries:

flowchart TD
  A["Incoming request"] --> B{"state signal? (token / header / param)"}
  B -->|"published"| C["Published graph"]
  C --> D["SSG / ISR render"]
  D --> E["Aggressive CDN cache (max-age)"]
  B -->|"draft"| F["Draft graph"]
  F --> G["Validate signed token at edge"]
  G --> H["On-demand fetch, status=draft"]
  H --> I["no-store / revalidate=0"]
  E --> J["Public visitor"]
  I --> K["Authorized reviewer"]

Keep two content graphs that never intersect at the routing or caching layer. Fetch, transform, and invalidate draft payloads independently of published ones. This prevents cache poisoning — a CDN serving unpublished content to anonymous visitors during edge warm-up or transient build states. Treat draft and published as distinct execution contexts and public endpoints stay immutable while previews get zero-latency freshness.

Query segmentation and routing

State transitions are driven by explicit signals: query parameters, HTTP headers, or signed tokens. GraphQL implementations use a status: draft argument or a dedicated preview schema; REST endpoints use an X-Preview-Mode header or route-level middleware. Normalize these inputs into one state machine before any request fires.

TypeScript
// types/content-state.ts
export type ContentState = 'published' | 'draft';

export interface FetchConfig {
  state: ContentState;
  locale: string;
  previewToken?: string;
}

// lib/content-fetcher.ts
export async function resolveContent(slug: string, config: FetchConfig) {
  const isDraft = config.state === 'draft';
  
  const requestHeaders: Record<string, string> = {
    'Content-Type': 'application/json',
    ...(isDraft && config.previewToken ? { 'Authorization': `Bearer ${config.previewToken}` } : {}),
  };

  const queryParams = new URLSearchParams({
    slug,
    locale: config.locale,
    ...(isDraft ? { status: 'draft', draft: 'true' } : { status: 'published' }),
  });

  // Framework-agnostic fetch with explicit cache directives
  const response = await fetch(`${process.env.CMS_API_URL}/content?${queryParams}`, {
    headers: requestHeaders,
    next: { 
      revalidate: isDraft ? 0 : 300, 
      tags: [`content:${slug}`, isDraft ? 'draft-mode' : 'published'] 
    },
  });

  if (!response.ok) {
    throw new Error(`Content resolution failed: ${response.status}`);
  }
  return response.json();
}

Centralizing this logic makes draft requests bypass long-lived CDN caches by default. Managing draft vs published content states in frontend requires enforcing the boundary in every fetch utility, server component, and API route.

Cache isolation and invalidation

Draft state management is a caching problem. Public content takes aggressive Cache-Control: public, max-age=31536000; draft content takes Cache-Control: no-store or on-demand revalidation tags. Edge networks with granular cache tagging let you purge draft-specific entries without invalidating the published site. When content moves from draft to published, fire targeted purges and trigger ISR — typically via Webhook Triggered Rebuilds — so the frontend reflects the change in seconds, not full deploy cycles.

Token handling and session persistence

Never gate preview on guessable URLs or persistent query strings. Issue short-lived, cryptographically signed tokens, validated at the edge before routing to draft sources, and store them in HttpOnly, Secure cookies with expiration windows aligned to review cycles. Token-Based Preview Authentication keeps preview mode behind authenticated stakeholders while public traffic stays confined to production graphs.

Framework integration and edge execution

Modern frameworks expose native draft primitives. Next.js App Router uses draftMode() to toggle preview; Nuxt intercepts preview cookies in server middleware. The model is the same everywhere: intercept the request, validate the state signal, fetch from the right endpoint, and render with isolated cache tags. For the caching semantics behind this, see RFC 9111, and for request isolation at the edge, the Cloudflare Workers request-context docs.

Summary

Draft state management is an architectural pattern, not a feature toggle: it dictates how content flows from authoring to production. Segment queries, isolate cache layers, and secure preview tokens, and you get high-performance static delivery without sacrificing editorial agility.