Skip to content

Secure Downloads

Every download of a purchased module passes through three independent checks. Each one alone would stop most misuse; together they make a download link worthless to anyone but its owner.

The three layers

When you download, the request must satisfy all of:

  1. A valid session. You must be signed in — the request carries your session, verified on the server.
  2. A live ownership check. The server re-confirms you own the module from the database on every request, not just once at purchase time. Losing access (e.g. signing out) invalidates in-flight links.
  3. A signed access token. A short-lived token, issued per download, that binds the request to you, the module, and your network.

The signed token sits on top of the session — it never replaces it. So even a perfectly valid token does nothing without the matching signed-in session behind it.

Signed access tokens

Each download begins by requesting a fresh signed token. The token is a signed credential that encodes:

  • who it's for (your user id),
  • what it grants (the specific module id),
  • where it was issued (your IP address), and
  • a unique one-time id.

The download endpoint re-checks every one of these before serving a byte.

One-time use

The token's unique id is consumed the moment it's used to begin a transfer. Any second attempt with the same token is refused. When you click Download again, the app quietly fetches a brand-new token — old ones are never reused. This makes replay impossible.

Short expiration

Tokens live up to 60 seconds. They're designed to be requested and used immediately, so there's never a long-lived URL to leak. Sixty seconds is ample for a transfer to start and far too little for an intercepted link to be abused.

Bound to your network

A token only works from the IP address it was issued to. A link copied to another machine or network simply fails the check.

Put the layers together and a shared or intercepted link gives an attacker nothing:

  • it expires within a minute,
  • it's already consumed after one use,
  • it only works from the original IP, and
  • it still requires the owner's signed-in session, which the attacker doesn't have.

Anti-scraping limits

On top of correctness, download endpoints are rate-limited per user to stop automated harvesting — the lightweight token request and the actual file transfer have separate, sensible per-minute ceilings. Sustained scraping trips the fraud protection layer.

Next step

Even a legitimately downloaded file is traceable — see Watermarking →.

Built for developers who ship.