Luckily, with things like AWS server side isn’t an issue any more. I run all my licensing as AWS services and because I don’t breach any of their threshholds( something like 4,000,000 executions a month) everything is free.
Ideally you’d want to be able to revoke licenses (e.g. refund, or resale) so you’d want to check with the license server periodically.
Of course, I would try to check also the license validity from the server. If a plugin is refunded or a license deactivated, it is unlikely that the user will then always produce music offline.
The most important point for me is that you have the order information somewhere (email address, payment date, and full name).
This way you could start with a simple solution and change the key and activation process later with a plugin update and prepare the new keys also for the existing users.
1 Like
What are peoples thoughts here on using only the functionality suggested in the JUCE “Unlock” tutorial, i.e. username/password that checks user status on a server (e.g. free/paid).
The limitations I understand to this approach are:
- not able to sell via third parties (who will require license keys)
- does not support offline authorisation
For the time being I am fine with those limitations, but I may be missing something…?
It seems to be the route ROLI took with their plugins.
For what it is worth—I use pretty much the stock JUCE Unlock approach. My needs are low volume, but it works, and actually is very fast. Normally, once user enters their information, it is literally only a second until they are unlocked.
2 Likes
I want to thank everyone for your insightful responses. I have decided not to use any copy protection at all. After researching the subject extensively, the scheme seems to be that honest customers will pay, and thieves will steal, no matter what. I am just starting selling plugins, and frankly, thinking about licensing solutions wastes so much time and energy. I could be using this time to gather a customer base or improve my products. I also figured that it was only a matter of time when creating a machine id, for example, fails with someone making two of us with headaches. There are multiple successful companies today with no copy protection whatsoever, and they appear to be doing just fine.
Honestly, I feel hugely relieved after letting go of the idea of copy protecting my plugins. One less thing to stress about. Let’s see how it goes!
5 Likes
I think you’ve summed it up perfectly 
2 Likes
For what it’s worth, Garritan (CFX) has one of the better licensing schemes: a simple key graphic that you drop on your plugin and which shows your name. I bet it contains some sort of cryptographic signature. And it does not only show your name, but your address incl. email address. If you don’t want to include the user’s name, replace it with a serial. That way you can let the plugin make an optional validity check so that at least online computers cannot use revoked licenses.
btw is there any current data regarding the usefulness of copy protections in the plugin scene or maybe general consumer software scene? One might think that expensive products would benefit from it… but to what extent? And to what extent does that extend to the 10-20€/$ price range?
In this article they say 94% of serum users have cracked the plugin.
The route I took was to make a code by applying some simple maths to the name, email address and an internal fixed code string (could be anything you want). This creates a user code of any length, for a specific plug-in. I kept it simple because it’s impossible to figure out the code anyway. And if they are dedicated enough to disassemble your plug-in then they’ll bypass all the checks anyway, it doesn’t matter how sophisticated your reg creation is.
Of course, software always gets cracked. But hindering their path is the best option for me.
The whole thing needs to be as simple as possible for the customer, and I kind of regret making them have to copy and paste three lines of text instead of just one!
p.s. there are also some anti-pirate tricks, but this is a public forum. 
Alright – I’ll toss an extra question in here? Since the Machine IDs provided by JUCE prove to be too unstable to use in practice in the long haul – what is a better machine identifier?
1 Like
We had some data which suggested a 6:1 ratio of cracks to actual customers, 33% of whom were in Russia.
2 Likes
I am working on a soon-to-be publicly available licensing solution using AWS, and in the requests from the plugin, they list the current machine IDs, as well as the last machine ID that was used. Then the server checks if they are different, and if that plugin has used that license code previously to determine previous ownership. If the machine IDs are different and the license codes are the same, it removes the old value in the DB and replaces it with the new one.
3 Likes
genius idea thanks for that!
FWIW: What I do is let my server handle everything.
Each plugin license has three activation slots.
When the plugin is installed, the user enters their account information.
The plugin sends the account information, along with a machine ID fingerprint to my server.
The server checks to see if the user has paid for a license. Then, it looks to see if one of the three activation slots is available. If so, then it assigns the machine ID to a slot and sends the unlock code to the plugin.
If no slots are available, the user must login to their account on my server and delete one of the computers to free up a slot. Then the activation process will proceed as before.
I decided at the beginning to make all of this completely under the user’s control. That way I never have to deal with it. In fact, I can’t deal with it. In my system, there is no way for me to manually assign an activation. It must be done by the user.
I always wondered how NI and Ableton are still in business, given their relatively simple copy protection. Seems like reach and online requiremements is key to success. If you reach a million users, you are fine with only 20% paying customers because 200,000 paying users is still a huge base to keep your business alive, especially if you have dozens of products to offer, all based on the same technology.
However, reach alone doesn’t earn you a penny. It needs to be actually reached out to on a regular basis. There is a good reason why the majority of staff in service sector businesses is marketing and sales. This is almost impossible to pull of as a one man show. Once you have reach however, you can team up with others and eventually make it a fulltime job.
I may be wrong, but with only a few thousand users and going it alone, you’ll probably give up at some point, unless it’s only a side hustle for you anyway.
So as a start to get some reach, why not do a Freemium? Reach is growing fast with the free (guilt free) version and that proportionally grows the 10-20% share or so that buys an upgrade/bonus features. Email the base with a discount offer every now and then and some % will make the switch. There is probably less of an incentive for crackers to spend time on a product that is mostly available for free anyway.
If you’re thanking me for that answer… it is kind of a band-aid and it should be paired with a better hardware ID, especially if you want to allow for offline licenses because your plugin can (and probably will) deactivate itself if the machine IDs change. I will probably look into using HWID for Windows, and an alternative for Unix systems for my client-side library.
If you’re thanking me for the AWS solution, it will hopefully be ready before December. I would like to post it here after I finish testing it, but I might need some permission from mods.
I’m reading this in late 2023 and I have all the same questions you had back when you originally posted this. So I’m curious, how did it go? Do you have any experience to share regarding anti piracy and selling your plugins now two years later?