Artifact Site Pub-Token and Signed Viewer Handoff

Where you see this in the app

This page documents what happens when a signed-in viewer opens an artifact site and the app hands them off to the pub host.

Users do not normally type or manage this token directly, but the handoff affects how signed viewing works across hosts.

Why signed viewers get a token

The pub host is a different serving surface from the main app shell.

For a signed-in viewer, the app needs a short-lived way to prove viewer identity to that pub surface during redirect. That is why the redirect can include a temporary signed token instead of assuming the pub host automatically knows the browser session.

gpx_token and pub host handoff

The app uses a short-lived gpx_token style handoff on the redirect to the pub host.

From an end-user standpoint, the important meaning is:

• signed viewer access is being carried into the published-site host,
• the token is part of the redirect bridge,
• it is not the same thing as a long-term personal API token.

This is a viewing handoff, not a general-purpose credential.

Short-lived access behavior

The handoff token is intentionally short-lived.

Users should expect it to exist only long enough to complete the viewer access bridge. It is not meant to remain a reusable permanent link secret.

That short lifetime is part of how the app limits replay and keeps cross-host access narrower.

What users should and should not assume

Users should assume:

• the token is there to carry signed viewer access across the redirect,
• it is temporary,
• it supports viewing on the pub host.

Users should not assume:

• it is a reusable API credential,
• it permanently replaces sign-in,
• it turns a non-public artifact site into a universally public one.

Related docs

• Artifact site anonymous access and public eligibility
• Artifact site access failures: sign-in, purchase, revoked, and expired
• Workspace attachments, published site, and share links