Keeping customers record, is this allowed on envato?

I have a project I want to publish by month end. This would be my first project on codecayon.

This product requires purchase code verification for license key issuance.

-User purchased the product from codecayon
-Goes to our website to create an account.
-From the account created, the would activate their product and issued a license key which would be required for the product to work.

In order to keep things organised, we provide support through a ticketing system and livechat but users would be logged to their accounts to use either the ticket or livechat.

Also, after the activation and the user saves their license key to their product, their project sends an API request to our server to authenticate the license key in the background. The request would contain sensitive details that “domain name, server ip, email and license key” . This is to help keep good record of where our product is being used, push updates through web hooks to the domain and stop products from working after refund/chargeback.

Does this violate any of codecayon rules?

Mostly allowed, but you’re pushing some boundaries, particularly with the “stop products from working” part. What’s to stop you (or someone who gets into your server) from abusing other buyers with this?

I’ve done something very similar but with key differences:

• No registration – I use the Envato API (OAuth) to get their username & purchase code(s).
• No recording of installation URL (unless necessary for opt-in services like push updates).
• No recording of emails (for privacy) but I do require it for any opt-in services that have their own TOS (to notify about changes to those terms in the future).
• My API keys are only used to download updates and enable those opt-in services.
• Activation is optional (because you never know when your server is going to go offline).
  • Unlicensed copies are still able to check for updates so they can see all the cool stuff they’re missing out on, but they will be unable to download them. This has actually earned me several sales from pirates over the years.

Now onto the fun part – refunds and chargebacks. When one of these occur, I simply disable their API key to prevent downloading further updates from my side. Not to say it’s against the rules because many authors do it, but I believe we should never be able to remotely disable an app. Unfortunately I’ve also seen authors abuse these systems against those who leave negative reviews.

If you do happen to have their URL after a refund or chargeback, then you’ll also have their server’s IP address (even behind something like cloudflare) and can fight it with the DMCA should the need arise – no need for any sort of remote control.

Thank you, @baileyherbert

However, the product is designed to work only with license key.

There are functions which relies heavily on other services on our server. For example, entire deposit process involves currency conversions from the base website currency to any the accepted currency of the payment method a user wants to use.

Let’s a say the admin sets the base currency of the website to EUR and a user wants to deposit 40 EUR through Stripe which accepts USD, a request is sent to our currency conversion service on our server to convert 40 EUR to USD before proceeding to charge the users credit card the USD equivalence and recording EUR in the deposit.

There are other services like auto blogs which uses our blog scraper api, kyc system, etc

All these requests are authenticated using the license key of the user.

We don’t want to support users who have gotten a refund, chargebacks, multiple domain uses , etc as all these request are using our resources hence it’s very important to monitor where our products are being used and who are using our product.

We are looking to have as many users as possible so sending individual DYMCA per domains for nulled or pirated versions are not options to us. We are only disabling their license key which prevents their websites from working as intended. This way, they are no longer using our resources.

You won’t get away with this - you can use license checking (via Envato API) to limit certain functionality or extended features, but the item still has to be able to function at a basic level without the need to register or enter any further codes etc. espcially not creating an entirely separate license beyond the envato one.

Also as @baileyherbert rightfully pointed out - even though numerous authors do apply the remote control methods, it is still against envato policy and if found will be a cause for rejection.

I get why you want to configure your item how you are proposing but you do need to consider the differences and implications of selling via a stock marketplace, not to mention the potential legal risk you are creating for yourself with handling some of that data.

@charlie4282

You won’t get away with this - you can use license checking (via Envato API) to limit certain functionality or extended features, but the item still has to be able to function at a basic level without the need to register or enter any further codes etc. espcially not creating an entirely separate license beyond the envato one.

I’ve read several envato terms but couldn’t place my hand where it is stated that we can’t have separate license key other the envato purchase code. I will be happy if you can help point me to it so I could read properly.

What you’re looking to do can actually be considered a rare exception to the rules, but there are some “gotchas” and I’m not particularly in favor of your strategy.

In this case you should be looking to market your item as a sort of “API wrapper” or an interface for your third party API. You should not be aiming to sell the features your API provides but rather the application on top of it, and it needs to be very clear that the item is based on this third party API. You could even simultaneously sell access to the API elsewhere such as on RapidAPI.

Buyers and reviewers on CodeCanyon expect an item to work on its own, with full source code to build upon, unless marketed otherwise. There are items here which are based entirely on some external API, and you can join the club, but you need to be careful.

In particular, know that this is not a viable strategy on its own, as you’re going to be in a position where your operational costs grow increasingly over time while sales on the marketplace may likely slow down, which makes it risky for all involved – and if you get any ideas about suddenly charging recurring fees to your existing buyers later, expect a surge of negative reviews.

Also know that whenever your API goes down, your entire product will fall apart. You’re also entering an interesting gray zone where buyers might be able to get a full refund if the API goes down.

Your best option is to ask support for exact details but -
a) even in the Author Terms it prevents variation (14) which the introduction of your new license etc. is doing, and
b) while you can use additional third party tokens it is discouraged as there are other data privacy requirements and limitations to how/where keygates and verification can be used, again several of which it sounds like your plan breaches.

@baileyherbert @charlie4282

I have sent support request to envato, I will update this thread with their response.

Below is what I sent to them;

Hi,

I am new author on Envato and would like to start selling my products (php scripts ) on envato.

In the past few days, I’ve spent time reading other terms and guides and asking questions on the author forum. However, at this point there are questions I need directly explanation from a support person.

Description:
I have a product which requires the use of an API key for verification and continuous use.

Step 1: After the user purchases our product from codecayon, he would be “REQUIRED” to go our website, create an account and activate the domain where he intends to install the php script.

Step 2: During the activation in Step 1 above, the user would be required to enter Envato purchase code which would be validated. If valid, the user would be issued a “LICENSE KEY”

Step 3: After the user had been issued a license key, he goes back to his server and begins the installation process. It product has custom installer made for it, after installing and setting up details about the website, he would be “REQUIRED” to enter the license key that was issued in step 2 above.

Step 4: His server would send a request to our server with “INSTALLATION EMAIL, SERVER IP, DOMAIN NAME, WEBSITE NAME AND LICENSE KEY” for authentication in the background, if the license key is valid for that domain, we will store the activation instance with the all the information sent in the request on our server and would periodically check that license keys are still valid through GET requests that runs in the “BACKGROUND”.

Step 5: If the during the installation or at a later date, the user uses invalid license key, the product would not work as intended any more as some features which require api calls to our third party services (e.g currency conversion api, blog scrapper Api, kyc system API), owned by us would not be accessible to the user anymore . The user can replicate these functions themselves or disable the feature programmatically. This is to prevent nulled and piracy of our product, and users from abusing the chargeback and refund system.

Step 6: Some api calls requires sending request ‘server ip, domain name, website name, email address, etc depending the the type of request being made.

Step 7: Users can change the domain associated with their license key by logging into their account on our website created during product activation and using the change domain feature on their dashboard. This is good for migrations and activations on dev environment.

8. We provide support to users though a ticketing and livechat system on our website but users need to be logged to their account to use this feature.

Questions:

1. Does envato allow third party license keys or tokens in place of purchase codes?

2. Does envato allow authors keeping record of domains and server ip where their products purchased on codecayon are being used?

3. Does envato allow authors to keep customers details such name, email and website name ?

I am looking forward to hearing from you. I would love to start selling my php scripts on envato as soon as possible.

Thank you.

Candidly and with repsect, this all sounds like a lot of effort and fraught with potential headaches and investment to maintain, especially for a stock marketplace and customer base.

It will be interesting to hear what they say. I suspect you will be guided to the right part of the author terms etc.

I will await their response.

…this all sounds like a lot of effort and fraught with potential headaches and investment to maintain, especially for a stock marketplace and customer base

Is this on our part or the part of the customer?

If it’s on our part, we have put in place everything to maintain our scripts, supports and ensure api is running at all time.

Our product is premium one that we would not like to be easily pirated. If you must use the nulled version, you would need to lose access to some functions and shed load on our server.

The script would be priced at 199$ for regular license if eventually approved by codecayon.

If there is no way codecayon would allow us a way to protect our script, then selling on envato would not be our best choice.

Everyday, thousands of codecayon scripts are shared for free on null sites, check babiato forum, the number of people using the pirated copy are more than the number of people using a valid license.

It’s interesting -

For reference I am all for authors charging properly for their work as I do not think the race to the bottom mentality helps anyone.

Likewise, anything people can do to counter pirates and warez is only a good thing.

Again, unfortunately I think you are going to struggle with that price tag - not because it’s not worth it, but because of the nature of stock marketplaces, access to alternatives available in that bracket, and the vast majority of buyers.

@charlie4282
There is no much alternatives for the type of script intend selling.

On codecayon, there only 9 of these scripts. Out of the 9, only two are of the same quality level as ours. But we have more features as these two.

Already these two are priced at 199$ so we are in the right competition .

Also, these two that are already priced at $199 only sell the basic feature for the script and add other features as addon sold separately but ours have all featured as a bundled package with no need for additional purchases.

Your best option is to ask for help with the exact details.

@charlie4282 @baileyherbert

Here is the response from envato support

Hi there

I’m Oliver with Envato Support. I’ll be happy to take add some clarity.

1. Does Envato allow third-party license keys or tokens in place of purchase codes?

No, we don’t. In short, we do not allow encryption as such within the items, and any item must work “out of the box.”

As you mentioned, we have an API which you can use https://build.envato.com/ to add verification checks, e.g., if a user has a valid purchase code which we provide when a user purchases your item.
We are also on hand should you ever discover an end-user misusing an item regarding their license terms.

2. Does Envato allow authors to keep records of domains and server IP where their products purchased on code canyon are being used?

Yes, this is allowed.

3. Does Envato allow authors to keep customers’ details such as name, email, and website name?

No, this won’t be allowed either, as it conflicts with our Privacy policies**.**Actually, personal such as email and name will not be provided during or after the purchase.

Please let me know if you have further questions.

All the best.

Oliver Anderson
Envato Support

With this being said, how exactly does evanto intend to protect our script when pirates.

Check this scenario;

User A, buys script from envato, installs the script on his server create a chargeback with his bank or PayPal, envato removes the money from our account and refunds the buyer?

User A gets to use our script for free!

User A steals a credit card belonging to Mr C, User A uses the card to purchase the script and install on his server. After X days, Mr C reports a fraudulent charge on his card, charges back the payment and envato refund the money to the Mr C’s card.

Again User A gets to use the script even though he has be refunded.

I can go on to list as many more scenarios where this applies.

At best that envato can do is to block the purchase code which prevents the user from making updates but at this point the the user already have the script on their server.

How exactly does evanto protect our scripts from pirates?

Envato have a team dedicated to tackling these things but they (for obvious reasons) do not discuss in detail the steps taken.

The thing is that the scenarios you are demonstrating I.e. sales reversals are not something that any steps taken by envato would or could prevent.

These are beyond envato’s control and between the buyer and their bank.

At the end of the day it’s important to remember that CodeCanyon is a marketplace for selling code. If you’re going to sell a ready-to-go script, great! – those are very popular here, but don’t forget that you’re actually selling the source code rather than the script.

As you’re beginning to realize, this means fully protecting any item against pirates is not possible. Even if you add a keygate, the buyer will have access to the code and can remove it. This is why I went with my strategy above, enticing pirates to purchase a legitimate copy rather than fighting it. It’s an uphill battle and after trying to fight it early on I quickly learned that it was not worth my time.

There’s a huge number of established, well-intentioned buyers here who wouldn’t bat an eye towards a pirated copy of your script. In fact, all of the best sellers on the marketplace probably have copies plastered across the internet, yet they’re still selling like hotcakes.

Keep in mind that many buyers will want to customize your code, build upon it, or even extract certain features from it to use in their own application or website. Not everyone who purchases your script is going to use it as-is, and Envato expects you to cater to these buyers as well.

If it’s absolutely unacceptable for your item to be pirated, then I would say this is definitely not the right place for you because unfortunately that is the fate of most items here shortly after approval.

However, keep in mind that all software can be pirated no matter what lengths you go to or where you sell them. Even some of the most heavily encrypted PHP applications sold elsewhere online get cracked regularly. Don’t let inevitable things get the best of you.

Envato have a team dedicated to tackling these things but they (for obvious reasons) do not discuss in detail the steps taken.

I don’t think they do anything to protect against piracy, just check null site and you will tons of evanto scripts available for free there.

The thing is that the scenarios you are demonstrating I.e. sales reversals are not something that any steps taken by envato would or could prevent.

These are beyond envato’s control and between the buyer and their bank.

I do understand these are beyond envato but in an event that charge back is created by a user, shouldn’t be okay to allow users to implement a system that prevents optimal working of the pirated scripts?

**Example: ** in our script, when a user is issued a refund or chargeback or any other misuse, etc the script would still work but some functions would stop, like we have created an API service for currency conversion which we use in our products. In this case the user won’t be able to use the currency converter, he can either remove the function completely or develop his own service.

At the end of the day it’s important to remember that CodeCanyon is a marketplace for selling code. If you’re going to sell a ready-to-go script, great! – those are very popular here, but don’t forget that you’re actually selling the source code rather than the script.

Certainly I’m selling the source code .

As you’re beginning to realize, this means fully protecting any item against pirates is not possible. Even if you add a keygate, the buyer will have access to the code and can remove it. This is why I went with my strategy above, enticing pirates to purchase a legitimate copy rather than fighting it. It’s an uphill battle and after trying to fight it early on I quickly learned that it was not worth my time.

In this case, the scripts won’t be encrypted. Just a basic keygate for our our third-party systems.

We don’t want to support free users on our server.

If a user doesn’t have an valid API key, he won’t be able to use the our API services which the script won’t work without those.

**Example: ** If have a feature called Google Rechapta which uses Google Rechapta for both check. For this feature to work well, 5hode who purchase the script must create an account with Google and to get their own API key. This is same with what we have done. In this case, when a user buys the script he would need an API key to get the access to the currency conversion. To get API, he must first create an account with us, then we check if he has a valid purchase code and issue him an API key. Without a valid API key, he won’t be able use the currency conversion API which the script relies heavily on for deposits.

There’s a huge number of established, well-intentioned buyers here who wouldn’t bat an eye towards a pirated copy of your script. In fact, all of the best sellers on the marketplace probably have copies plastered across the internet, yet they’re still selling like hotcakes.

Definitely.

Keep in mind that many buyers will want to customize your code, build upon it, or even extract certain features from it to use in their own application or website. Not everyone who purchases your script is going to use it as-is, and Envato expects you to cater to these buyers as well.

Can be used, script is not encrypted

If it’s absolutely unacceptable for your item to be pirated, then I would say this is definitely not the right place for you because unfortunately that is the fate of most items here shortly after approval.

However, keep in mind that all software can be pirated no matter what lengths you go to or where you sell them. Even some of the most heavily encrypted PHP applications sold elsewhere online get cracked regularly. Don’t let inevitable things get the best of you.

It can be pirated but you just have to write your currency conversion API, KYC system API, Blog Scrapper API.

These are APIs that we developed and use in most of projects. They are not free to use independently except within our products.

@charlie4282 @baileyherbert

Here is a follow up response from Envato

Hi there

I’ll be happy to clarify.

1. User A, buys script from envato, installs the script on his server create a chargeback with his bank or PayPal, envato removes the money from our account and refunds the buyer?
   In this case, the license will be null and the user’s account will be permanently disabled.

2. User A steals a credit card belonging to Mr C, User A uses the card to purchase the script and install on his server. After X days, Mr C reports a fraudulent charge on his card, charges back the payment and envato refund the money to the Mr C’s card.
This might happen from time to time, as any Marketplace is 100% free of fraudulent transactions; this is called “Sale Reversal”. You can read more about this topic here. sales reversals.
it’s important to confirm that those users will be permanently blocked and their accounts disabled. As you can imagine that is not the kind of members we want to have within our community. That is the reason why we have a zero-tolerance policy regarding this matter.

3. How exactly does Envato protect our scripts from pirates?
In short - Envato cannot offer any protection over the misuse of your end items. It’s important that we are fully transparent here.

It’s a common misunderstanding amongst many authors that the end-items that incorporate your item or any external sites that violate your copyright are something Envato can resolve. This is mainly around who’s responsibility it is for the copyright and infringement of the author’s assets. Let’s discuss and clarify this.

Envato simply put, is an online marketplace.

We have built and maintained a community of engaged buyers. We allow any creator of a digital asset to come and essentially set up shop on our marketplace to sell their items to the community. In summary, our only function to authors is to facilitate a sale. You still own all rights to your item, and once a sale is made, it is a direct relationship between the author and the user. Envato no longer has any part in this relationship.

This is made clear in our terms:

The author of the Item retains ownership of the Item but grants you the license on these terms. This license is between the author of the Item and you. Envato Pty Ltd is not a party to this license or the one giving you the license.

Just like any other part of your business, from pre-sales, production of other assets, marketing, accounts, and support, copyright is your responsibility and any infringements arising out of this would be a matter for yourself. Envato does not offer any copyright protection nor do we have any role if after a sale is made, a user does violate the license terms, or infringes your copyright. I appreciate this may come as a surprise that we don’t offer this, and the reasons are:

1. We hold no legal ownership of your item, you own the copyright and so only you can claim any infringement.
2. We are not copyright experts and most copyright issues can only ever be settled via legal discourse.
3. We do not monitor any end-uses of the item.
4. It’s impossible to track how every buyer uses your asset.

Of course, 99.9% of users within our community are good-willed buyers, who not only want a valid license in place but also want to compensate the author for their work and talent.

Bad actors exist everywhere and this isn’t something we can prevent.

In terms of an end-user who may alter your code and then submit this to Envato. If we receive a DMCA take-down notice from you, we will take this item down immediately pending the DMCA process.

Thanks for your understanding and I am happy to discuss should you have any questions.

All the best

Oliver Anderson
Envato Support

I’m familiar with countless items on CodeCanyon that use the author’s own API in some form or another. However, these are typically not mission-critical for the item – if the same is true for your case, then I would say it’s totally fine.

If that’s not the case, then one way to circumvent this is to give your users the option of choosing between your own API or choosing between one or more third party APIs that you have integrated, where they will be expected to pay for their own key. Ideally, look for some providers with a free tier.

Building upon what support said as they went on to discuss encryption… it’s normal to generate your own API key (in fact this is the only way to properly implement a license check with domain management). However, behind each API key must be a purchase code, i.e. your entire API key mechanism needs to be built around purchase codes.

And with such a system, if you ever do give a refund or receive a chargeback, Envato will show you the purchase code in both cases so you can easily deactivate the API key from your side.