The "no more silent 404s" release. Eliminates the bug class where a stale or missing Astro .env App Password caused every page on the headless frontend to 404 — with no admin-side warning. Real users (thank you Asad) hit this and couldn't tell what was wrong.
Fixed
/hatch/v1/contentis now PUBLIC. The universal post / page / CPT resolver no longer requirespermission_authenticated. It only ever returnspost_status: publishcontent (enforced insideroute_content_by_slug), so making it public exposes nothing private — exactly the same surface as visiting the page on the live site. Eliminates the "App Password expired → entire headless frontend goes silent-404" failure mode.getPostBySlug+getPageBySlug(Astro) now use the public endpoint. Previously both hit/wp/v2/postsand/wp/v2/pageswhich require Basic auth. Now they use the public/hatch/v1/content?slug=…path, so even with NO credentials in.envthe headless frontend renders posts and pages correctly. Auth is still used for everything that actually needs it (admin/edit flows)./hatch/v1/contentresponse enriched withcategories,tags, andauthorso the blog template can render breadcrumbs, related posts, and the author bio in a single round-trip.
Verified
- With
WP_API_USER=andWP_API_PASS=(both empty) in.env:/blog/edge-e-testreturns 200 with the post title, breadcrumbs, share rail, progress bar, related posts — all rendered correctly./sample-pagereturns 200 with the page content.
- Every Design tab feature toggle now produces a visible end-to-end render change (verified: progress_bar, breadcrumb, last_updated, sticky_share, next_prev_nav, related_posts).
/hatch/v1/post/{id}/blockspermission unchanged — context-aware (view = public, edit = auth) per existing route handler.
Migration
No action needed. Existing installs get the fix on plugin upgrade. The .env file is no longer load-bearing for read paths — you can leave WP_API_USER and WP_API_PASS blank and the frontend will still render perfectly. Set them only when you need auth for non-Hatch endpoints (e.g., raw /wp/v2/* calls in custom code).