Data Mode
Data Mode adds client-side encryption to your published pages. When enabled, page content is encrypted with AES-256-GCM before being stored on CDN. Only clients with the content key can decrypt and display the content.
This is useful for protecting premium content, gated documentation, or any pages you want to keep private even though they're hosted on a public CDN.
How Data Mode Works
- Enable Data Mode → PageGun generates a unique content encryption key
- Publish pages → Content is encrypted before upload to CDN
- Client decrypts → Your frontend uses the content key to decrypt pages at runtime
- Key never stored on CDN → The encryption key is only returned once when enabling Data Mode
Your Content → AES-256-GCM Encryption → CDN (encrypted)
↓
Client + Content Key → Decrypted Content → Rendered PageGet Data Mode Status
GET /v1/projects/:id/data-modeReturns the current Data Mode status for a project.
Note
This endpoint does not return the encryption key. The key is only provided once when Data Mode is first enabled.
Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Project ID |
Request
curl https://api.pagegun.com/v1/projects/MgdGoare/data-mode \
-H "Authorization: Bearer pgk_live_xxxxx"const response = await fetch(
"https://api.pagegun.com/v1/projects/MgdGoare/data-mode",
{ headers: { Authorization: "Bearer pgk_live_xxxxx" } }
);
const { data } = await response.json();Response
{
"success": true,
"data": {
"enabled": true,
"enabled_at": "2024-02-01T12:00:00Z"
}
}Enable Data Mode
POST /v1/projects/:id/data-modeEnables Data Mode and returns the content encryption key.
Danger
Save the contentKey immediately. It is only returned in this response and cannot be retrieved again. If you lose it, you must regenerate a new key (which re-encrypts all content).
Path Parameters
| Name | Type | Required | Description |
|---|---|---|---|
id | string | Yes | Project ID |
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Must be "enable" |
Request
curl -X POST https://api.pagegun.com/v1/projects/MgdGoare/data-mode \
-H "Authorization: Bearer pgk_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{"action": "enable"}'const response = await fetch(
"https://api.pagegun.com/v1/projects/MgdGoare/data-mode",
{
method: "POST",
headers: {
Authorization: "Bearer pgk_live_xxxxx",
"Content-Type": "application/json",
},
body: JSON.stringify({ action: "enable" }),
}
);
const { data } = await response.json();
// ⚠️ Save data.contentKey securely — it won't be shown again!
console.log("Content Key:", data.contentKey);Response
{
"success": true,
"data": {
"enabled": true,
"contentKey": "a1b2c3d4e5f6..."
}
}Disable Data Mode
POST /v1/projects/:id/data-modeDisables Data Mode. Published pages will no longer be encrypted on CDN.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Must be "disable" |
Request
curl -X POST https://api.pagegun.com/v1/projects/MgdGoare/data-mode \
-H "Authorization: Bearer pgk_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{"action": "disable"}'Response
{
"success": true,
"data": {
"enabled": false
}
}Regenerate Key
POST /v1/projects/:id/data-modeGenerates a new encryption key and re-encrypts all published content. Use this if you've lost the original key or want to rotate keys.
Warning
Regenerating the key invalidates the previous key. All clients must be updated with the new key.
Request Body
| Name | Type | Required | Description |
|---|---|---|---|
action | string | Yes | Must be "regenerate-key" |
Request
curl -X POST https://api.pagegun.com/v1/projects/MgdGoare/data-mode \
-H "Authorization: Bearer pgk_live_xxxxx" \
-H "Content-Type: application/json" \
-d '{"action": "regenerate-key"}'Response
{
"success": true,
"data": {
"enabled": true,
"contentKey": "f6e5d4c3b2a1..."
}
}CDN Content Structure
When Data Mode is enabled, published content on CDN follows this structure:
/{project_id}/
_index.json # Page manifest (always unencrypted)
{page_slug}.json # Encrypted page contentEach encrypted page file contains:
{
"iv": "base64-encoded-iv",
"ciphertext": "base64-encoded-encrypted-content",
"tag": "base64-encoded-auth-tag"
}Content Key Security
- Store the content key in environment variables or a secrets manager
- Never expose the key in client-side source code directly
- Use a server-side proxy or edge function to inject the key at runtime
- Rotate keys periodically using the
regenerate-keyaction