Definition
A nonce ("number used once") is a short-lived token that a server issues and later expects back, used to prevent replay attacks and CSRF. In WordPress, a nonce is a hash derived from the user ID, the current action, and a rotating secret, valid for approximately 24 hours. Admin pages include nonces in forms; when the form is submitted, WordPress verifies the nonce before performing the action.
Nonces are not about secrecy - the client sees the nonce - they are about intent. A valid nonce proves the request came from a page the server issued to this specific user, which rules out a malicious third-party site tricking the browser into submitting the form as a logged-in user.
How SheetLinkWP relates to Nonce
Every admin form and AJAX endpoint in SheetLink Forms is protected by a WordPress nonce. Saving settings, activating a license, running an integration test, deactivating a site - all require a valid nonce. The plugin uses the standard wp_create_nonce() and check_admin_referer() helpers, so nonce validation gets the full benefit of WordPress's established CSRF protection.