I’m hoping someone familiar with the Envato API OAuth workflow can help me here.
Yesterday I finished developing an OAuth purchase verification and automatic update system for my WordPress plugin, which is working well and makes it really easy for customers to enable updates from within WordPress. Instead of asking/guiding them to create an API key, or install the Envato Market Plugin (which they’ll also need an API key for), they literally just need to approve the OAuth authentication in a popup window with one click and they’re done. It’s also compatible with the Envato Market Plugin if customers are already using that.
However, I’ve just discovered that if you grant OAuth access on a second site with the same Envato account, the first site’s refresh_token is revoked, so essentially the OAuth grant becomes null and void.
If a customer is only ever using my plugin on one site, this isn’t much of a problem. But if they authorize my plugin on a staging site for example, then their main site loses its authorization. Or if they buy a second license on the same Envato account to use on a new site, they can’t authorize both at the same time.
I’m hoping there’s something I can do to make this work, since I’ve already released this in my plugin’s latest update. Or are CodeCanyon customers destined to a life of tedious API keys if they want automatic updates from within WordPress?