Approval workflows often get introduced after something goes wrong: a pricing page publishes with an outdated number, a legal disclaimer disappears, or a product announcement leaks early. The instinct is to “add approvals,” but the result is frequently a slow, confusing process that writers work around.
A headless CMS can make this easier or harder. Easier because content is structured, state can be modeled, and publishing can be controlled centrally. Harder because content is reused across channels, and a single entry might affect web, mobile, email, and in-app surfaces.
This post walks through a practical way to design approvals that increase quality and accountability while keeping publishing fast. The key is to treat approval as a product workflow, not an afterthought.
What an approval workflow should accomplish
Before you design states and permissions, decide what “approval” is supposed to do for your organization. In most teams, it should accomplish a short list of outcomes:
- Prevent avoidable errors that have real cost, such as wrong claims, broken links, missing requirements, or brand violations.
- Create clear ownership so it is obvious who signed off on what, and where to go when a correction is needed.
- Keep throughput high by minimizing time spent waiting, re-reviewing, or debating what “done” means.
- Separate “ready” from “published” so teams can prepare work ahead of time and publish on a schedule.
Notice what is not on the list: forcing every sentence to be perfect or making one person a bottleneck. A workflow should reduce risk in the places where risk is real, and stay out of the way everywhere else.
Key Takeaways
- Use a small number of states that match how work actually moves, not how you wish it moved.
- Make “review-ready” an explicit signal with required fields and a checklist, not a vague message in chat.
- Permissions should protect publishing and critical fields, while letting writers iterate quickly.
- Track exceptions: urgent fixes, legal content, and time-based releases need planned paths.
Design content states that match reality
Most approval confusion comes from ambiguous states. People do not know whether an entry is “done,” “done but waiting,” or “done but someone changed it.” Fix this by designing a small state machine with strict meanings.
Start with 4 to 6 states
A good default is 5 states. It is enough to represent the work without creating a maze. Here is a conceptual structure you can adapt:
{
"states": [
"Draft",
"In Review",
"Changes Requested",
"Approved",
"Scheduled/Published"
],
"rules": [
"Only Approved content can be scheduled/published",
"Edits to Approved content move it back to In Review (with exceptions)",
"Changes Requested must include reviewer notes"
]
}Two details matter more than the names:
- Transitions must be intentional. Someone should choose “Send to review” rather than accidentally triggering review by editing a field.
- Each state must answer one question. For example, “In Review” means “someone is responsible for reviewing next,” not “this feels close.”
Handle edits after approval
Teams often argue about whether a small typo fix should require re-approval. The right answer depends on risk. Instead of debating every time, define categories:
- Safe edits: spelling, formatting, non-meaningful changes. Allow these without state regression, but log them.
- Meaningful edits: claims, pricing, policy language, calls to action, or anything that changes intent. Require review again.
Many headless CMS platforms support field-level permissions or “locked fields.” Even if yours does not, you can approximate this by splitting risky fields into a separate content type or grouping them into a “restricted” section.
Define roles and permissions without creating bottlenecks
Approvals fail when “permission” is used as a substitute for “process.” If everyone can publish everything, mistakes happen. If only one person can publish anything, the team slows down and starts routing around the system.
A practical pattern is to define roles based on what people are accountable for, not their seniority:
- Author: can create and edit drafts, attach assets, and submit for review.
- Reviewer: can comment, request changes, and approve content within a scope (for example, blog posts but not legal pages).
- Publisher: can schedule and publish approved content, manage releases, and handle urgent hotfixes.
- Admin: manages models, permissions, and automation.
Scope permissions to content types and “critical fields”
In a headless CMS, a “page” might be composed of many reusable entries: hero banner, testimonials, pricing blocks, and FAQs. You do not want a blog editor to accidentally ship an unreviewed pricing block.
To avoid this, scope permissions in two ways:
- By content type: marketing pages, product docs, legal, blog, glossary, and UI copy can have different workflows and reviewers.
- By field group: lock down sensitive fields such as “price,” “claim,” “disclaimer,” or “SEO canonical,” even within the same entry.
This keeps the system usable: writers can move quickly in low-risk areas, while high-risk areas get the extra attention they deserve.
Make handoffs explicit: review signals and required fields
The fastest workflow is not the one with the fewest states. It is the one with the clearest handoffs. Reviewers should not have to guess what to check, where to comment, or whether the draft is complete.
Define “review-ready” as a set of requirements
When an author moves content to In Review, require a few fields that make review efficient. Examples:
- Change summary: what changed and why.
- Intended placement: which page, app surface, or campaign uses this content.
- Risk flags: checkboxes such as “mentions pricing,” “mentions competitor,” “requires legal,” “contains claims.”
- Owner: who will respond to feedback and by when.
Even if your CMS does not support custom validation per state, you can enforce this through convention and periodic checks. However, validation is worth implementing if possible because it turns “please do this” into “the system ensures this.”
Set simple review expectations
Workflows stall in the gaps. Add lightweight expectations:
- Each review request has a target turnaround, such as “within 2 business days.”
- If the turnaround is missed, the author can reassign to a backup reviewer or escalate to a publisher.
- If content is time-sensitive, mark it as such in the CMS rather than relying on chat messages.
You do not need a complex service-level agreement. You need shared norms and a way to see what is waiting.
A concrete example: a small marketing team in a headless CMS
Consider a hypothetical SaaS company with a three-person marketing team and a part-time legal reviewer. They run a headless CMS that feeds their website and in-app announcements. Before workflow changes, authors published directly and occasionally corrected mistakes after users noticed.
They implement the following:
- Blog posts use the 5-state workflow. Marketing Lead is the default reviewer, and a Publisher role handles scheduling.
- In-app announcements add a “Risk flags” field. Any entry with “mentions pricing” requires legal review before approval.
- Pricing components are extracted into a separate content type with restricted fields. Only Publisher and Admin can edit “Price” and “Billing frequency.”
What changes in daily work:
- An author drafts a blog post and checks the “contains claims” flag because it includes a performance statement.
- When they click “Send to review,” the CMS requires a change summary and intended placement. The author adds: “New onboarding guide article, will be linked from docs landing page.”
- The reviewer approves the post but requests a wording change to reduce the claim. The post moves to “Changes Requested” and includes reviewer notes.
- The author edits and resubmits. Once approved, the publisher schedules it for release.
The key outcome is not bureaucracy. It is fewer surprises. Reviewers see the risk flags. Authors know what “review-ready” means. Publishers control scheduling. The system reflects how the team works.
Copy-paste checklist: ship a workflow in a week
Use this as a practical rollout plan. Keep it small enough that you can actually finish it.
- Pick the scope: start with one content type (often blog or announcements).
- List your real risks: wrong pricing, legal exposure, brand issues, broken links, unapproved claims.
- Choose 4 to 6 states and write one-sentence definitions for each state.
- Define transitions: who can move Draft to In Review, and who can move Approved to Published.
- Create roles: Author, Reviewer, Publisher, Admin (or equivalents).
- Add review-ready fields: change summary, intended placement, risk flags, owner.
- Decide on edit-after-approval rules: safe edits vs meaningful edits, plus how you log changes.
- Run a pilot: put 5 to 10 items through the workflow and note where it stalls.
- Document the “fast path”: one short internal page describing the normal flow and the urgent hotfix flow.
- Measure friction: time in review, number of back-and-forth cycles, number of urgent publishes.
Common mistakes to avoid
- Too many states. If people cannot remember the difference between “Ready,” “Final,” and “Complete,” you have already lost. Combine states until each one is clearly distinct.
- Approvals that live in comments only. A “Looks good” note is not an approval if the state still says Draft. Make approval a state change, not a message.
- No path for urgent fixes. When production content is wrong, people will bypass the workflow. Provide an explicit hotfix path with an audit trail.
- One reviewer for everything. This creates queue build-up and resentment. Use scoped reviewers and backups.
- Publishing without context. If a publisher cannot tell where content appears, they cannot judge risk. Capture intended placement in the CMS.
When not to add an approval workflow
Approvals are not automatically mature. Sometimes they are just extra steps. Consider not adding a formal workflow if:
- Your content is low-risk and easily reversible, such as internal notes or non-public drafts.
- You publish rarely and the same person writes and owns the content end-to-end.
- Your biggest problem is unclear strategy, not errors. In that case, fix planning and briefs before approvals.
- You cannot commit reviewer time. An approval workflow without reviewers turns into a permanent waiting room.
A lighter alternative is a “two-person check” for specific content types or fields, rather than a full state machine for everything.
Conclusion
A good CMS approval workflow is a small set of clear states, paired with roles and review signals that reduce uncertainty. The goal is not to slow work down. The goal is to make quality the default while keeping publishing predictable.
If you start small, define transitions carefully, and design for real handoffs, you can get the benefits of governance without building a bureaucracy.
FAQ
How many approvers should a piece of content need?
Default to one accountable reviewer per content type, with optional additional review triggered by risk flags (for example, legal only when needed). Multiple mandatory approvers on every item usually creates delays without improving outcomes.
Do we really need to re-approve after a typo fix?
Not always. Define “safe edits” that do not change meaning and allow them post-approval with logging. Require re-approval for meaningful edits that affect claims, pricing, policy language, or user actions.
Should we use versioning or drafts for published content?
Yes, if your CMS supports it. The safest model is to keep a published version stable while a new draft goes through review. This avoids “half edited” content appearing in production.
How do we handle content reused across multiple channels?
Make “intended placement” explicit and treat shared components (like pricing blocks or disclaimers) as higher risk. Use stricter permissions on shared content types because a single change can impact many surfaces.