Secure Downloads
Every download of a purchased module passes through three independent checks. Each one alone would stop most misuse; together they make a download link worthless to anyone but its owner.
The three layers
When you download, the request must satisfy all of:
- A valid session. You must be signed in — the request carries your session, verified on the server.
- A live ownership check. The server re-confirms you own the module from the database on every request, not just once at purchase time. Losing access (e.g. signing out) invalidates in-flight links.
- A signed access token. A short-lived token, issued per download, that binds the request to you, the module, and your network.
The signed token sits on top of the session — it never replaces it. So even a perfectly valid token does nothing without the matching signed-in session behind it.
Signed access tokens
Each download begins by requesting a fresh signed token. The token is a signed credential that encodes:
- who it's for (your user id),
- what it grants (the specific module id),
- where it was issued (your IP address), and
- a unique one-time id.
The download endpoint re-checks every one of these before serving a byte.
One-time use
The token's unique id is consumed the moment it's used to begin a transfer. Any second attempt with the same token is refused. When you click Download again, the app quietly fetches a brand-new token — old ones are never reused. This makes replay impossible.
Short expiration
Tokens live up to 60 seconds. They're designed to be requested and used immediately, so there's never a long-lived URL to leak. Sixty seconds is ample for a transfer to start and far too little for an intercepted link to be abused.
Bound to your network
A token only works from the IP address it was issued to. A link copied to another machine or network simply fails the check.
Why a leaked link is useless
Put the layers together and a shared or intercepted link gives an attacker nothing:
- it expires within a minute,
- it's already consumed after one use,
- it only works from the original IP, and
- it still requires the owner's signed-in session, which the attacker doesn't have.
Anti-scraping limits
On top of correctness, download endpoints are rate-limited per user to stop automated harvesting — the lightweight token request and the actual file transfer have separate, sensible per-minute ceilings. Sustained scraping trips the fraud protection layer.
Next step
Even a legitimately downloaded file is traceable — see Watermarking →.