Password-Protected Preview URLs — The Client Review Workflow Agencies Deserve

Agencies and consultancies have a unique preview problem. Your client wants to see the work in progress — not a screenshot, not a Loom video, not a calendar invite for a screen share. They want a link they can click from their phone, on their own time, and poke around the real application.

What most agencies do today: start a local server, fire up ngrok, paste the URL in Slack, and hope their laptop doesn't fall asleep before the client looks at it. Or worse — set up a dedicated staging server per project that costs $20–50/month and still isn't tied to any specific branch or feature.

PreviewDrop's password-protected, auto-expiring preview URLs replace that entire workflow with one link per branch. Here's how it works, and how agencies are using it to cut infrastructure costs while improving client communication.

The agency preview problem

Web agencies building custom applications for clients face a challenge that product companies don't. Your clients aren't engineers — they don't read CI logs, they don't understand branch names, and they definitely don't want to "clone the repo and run it locally." They want a URL. One URL, per feature, that they can open on their phone while waiting for coffee.

The current solutions all have gaps:

Ngrok tunnels require your laptop to be online and running. They expose your local machine to the internet. The URL changes every time you restart the tunnel. There's no password protection unless you build it into the application itself. And if your client checks the link at 11 PM, it's dead because you closed your laptop at 6.

Shared staging servers work for internal teams but fail for agencies. A staging server runs one version of the app at a time — whichever branch was deployed last. Two clients reviewing two different features need two different environments. The agency ends up provisioning one staging server per client, each costing $20–50/month, each requiring maintenance, each becoming another thing that bills the client but doesn't ship features.

Deploy previews without passwords expose in-progress work to search engines, curious competitors, and anyone who guesses the URL. For an agency building a client's unreleased product, that's unacceptable.

How password-protected previews work

PreviewDrop lets you set a per-preview password from the dashboard. When someone visits the preview URL, they see a simple password gate before the application loads — no application code changes required.

The password protection happens at the routing layer, not inside your app. Your Django, Rails, Laravel, or React app doesn't know it's behind a password gate. There's no middleware to add, no conditional logic for PREVIEW_MODE=true, no risk that a misconfiguration exposes the app without the gate.

Here's the workflow:

1. You push a branch. PreviewDrop detects the push, builds the preview, and gives you a URL — same as always.
2. From the dashboard, you toggle "Password protect" and set a password. Or you do it from the CLI: previewdrop protect --password "client-name-2026"
3. You share the URL with your client. They enter the password once, and the session persists for the duration of their visit. No account creation, no email verification, no friction.
4. The preview auto-expires on the TTL you set — 1 hour, 4 hours, 8 hours, or 7 days depending on your plan. No cleanup, no forgotten previews running for months.

The auto-expiry advantage

Auto-expiry does more than save disk space. It creates a natural cadence for client communication.

When you send a preview with a 4-hour TTL, you're implicitly saying: "this is what I shipped today — take a look before EOD." When you set a 7-day TTL, you're saying: "this is the version for your stakeholder review next week." The TTL communicates expectations without a separate email.

It also eliminates the awkward "hey, can you take down that preview from three months ago?" conversation. Previews clean up automatically. The client always has the right version because the old ones are gone.

What this replaces (and what you stop paying for)

A typical agency with 5 active client projects might be running:

• 5 staging servers at $25/month each = $125/month
• 2 ngrok Pro subscriptions ($8/month each) for demos = $16/month
• 1 shared VPS for "miscellaneous previews nobody remembers creating" = $15/month
• Engineering time spent setting up and maintaining all of the above: ~4 hours/month at agency rates

That's roughly $156/month in direct infrastructure costs plus $600/month in engineering time — per month, per agency. PreviewDrop's Pro plan is $79/month and covers 20 concurrent previews across all your projects, with password protection and configurable TTLs included.

Sharing previews with non-technical stakeholders

The password-gate page is deliberately simple. It's a single field — no "create account," no "verify email," no multi-factor prompt. Your client types the password and sees the app. If they share the password with their team internally, that's fine — the URL still expires on schedule.

For stakeholders who need to open the preview on mobile, the password gate is responsive and works in any modern browser. The client taps the link in their email, enters the password, and the app loads. No app installation, no VPN, no corporate network configuration.

Agency workflow: feature → preview → feedback → merge

Here's how a typical feature review cycle looks with password-protected previews:

1. Developer finishes a feature, opens a PR, gets a preview URL automatically.
2. Developer sets a password ("sprint-12-review") and a 4-hour TTL.
3. Project manager shares the URL in the client's Slack channel with the password.
4. Client opens the link on their phone, enters the password, tests the feature, and leaves feedback in the PR comments.
5. Developer iterates, pushes a fix, preview redeploys automatically (same URL, same password, under 60 seconds).
6. Client re-checks the same link — no new password to share, no new URL to find.
7. PR merges, preview expires, cleanup happens automatically.

Every step happens without the agency managing infrastructure. No staging server to provision, no DNS records to create, no cleanup script to write.

Security for client work

Password protection is one layer. For agencies handling sensitive client work, here are the additional controls:

• Auto-expiry — the preview literally disappears after the TTL. No lingering access.
• HTTPS on every URL — all preview traffic is encrypted in transit, same as production.
• No search engine indexing — preview URLs include X-Robots-Tag: noindex headers so they never appear in search results, even without the password gate.
• Per-project isolation — each client project has its own workspace, its own environment variables, and its own preview history. No cross-client data leakage.

Start using password-protected previews

Password protection is included on all paid PreviewDrop plans. The free tier gives you 2 concurrent previews so you can test the workflow with a real client before upgrading.

Start free with GitHub →