How does the back end server for online authentication work?

So Im getting ready to release my plugin and am considering requiring product registration. I read the tutorial about the OnlineUnlock class and I think most of that is pretty straight forward, however I don’t understand the section about the back end server, as I have never worked with servers.

In the tutorial it looks like they make a local server, which I assume means a server running off your personal PC, but I also assume in a real life case you would use a separate dedicated server? If this is true, do I need to purchase a server space? (Possibly very dumb question) I already have a domain to release my plugin on, am I able to use that domain in someway to act as my server? Finally is there any type of maintenance needed for an authentication server ?

Any help appreciated! Thanks!

You will at least need to have a dedicated authentication server and database of users/purchases/licences.

Virtualised server offerings from AWS, Google Cloud, Azure, …, mean that you don’t have to worry about maintaining your own hardware, but you would still need to keep an eye on the latest security news and update your services accordingly. This is usually pretty low overhead in practice but not something you can ignore.

It’s possible that rolling your own anti-piracy will do more hard than good. Anything less than a comprehensive solution will get cracked pretty swiftly, and any measures you do put in may make the product worse for paying customers. I think there are two sensible strategies:

  1. Do the minimum viable licence checking using your own authentication web infrastructure. Add just enough complexity to the licence check that when people download a cracked version it’s obvious that it’s not the same as the original version. If you plug-in becomes popular then a crack will appear fairly swiftly, but this approach will be minimally intrusive to your users.

  2. Use a tried-and-tested comprehensive solution. PACE is the industry leader by a wide margin: https://www.paceap.com/ . They provide online licence management for you, so there’s a whole swathe of problems you no longer need to think about.

** JUCE is owned by PACE, but this post is not representative of JUCE’s or PACE’s opinions, nor is it meant to be an explicit advert for their services. I have personally released plug-ins using the first approach and made my peace with seeing a cracked version appear, disheartening though it may be. I just want to caution very strongly against implementing anything more than the minimum viable protection yourself.

4 Likes