Auto plugin updates, is this method ok?


I’m currently working to implement an auto update method to my plugins, similar as the one in Visual Composer. Based on the purchase code and the current site, the user can activate auto-updates there. So far so good, all I need is to set up a handler on a server to do the check and returning back the download URL to the update if available and the check went all right.

Here is something I’m not sure of. I’ve checked the source few plugins that use this method, and the download URL they return is self hosted, or hosted on an amazon AWS (unrelated to envato) - meaning that the download is coming from a 3rd party URL, and not directly from envato itself. It’s done safely on their side of course, cannot be abused, that’s not the issue.

My question is rather silly, as others are doing this, but is it ok to us this method? After verification can I allow the plugin to be updated from a 3rd party url (after verification), as long as it’s safe and the file is exactly the same as the one approved on codecanyon? I’m asking because I don’t want my plugin to be removed in the future because of this.

Otherwise I would need the user to make an API key as well, whereas in this method the purchase code and the user name is sufficient, as the verification is done via my application.

I do this since Sept. 2012 in my plugin. No problems.

Buyers love that they don’t have to wait until it’s approved on the markteplace