BuiltByBit provides creators with many tools for implementing their own DRM systems, however if care is not taken to ensure that these systems are not negatively impacting buyers, they can degrade user experience, result in poor reviews and even refund requests. This page provides our recommendations on how you can implement secure DRM systems that protect your resources without being unnecessarily obtrusive.
With Minecraft servers as an example, a server could have many dozens of different plugins installed, each wanting to do their own license validation. The worst thing any of these plugins could do is perform periodic license checks during runtime and disable themselves if the license server cannot be reached at any point. If BuiltByBit’s moderation team discovers that a plugin is behaving this way, it may actually be considered malware and removed, as it effectively gives plugin creators the ability to take down any servers running their software at any time or unintentionally if there is any sort of momentary disruption in service.
Standard behavior would be to only perform a license check on server startup. However, even this can be problematic if there is downtime with the license validation authority or any of its dependent services such as Cloudflare. Large networks may spin up and down servers as necessary and even smallerservers often schedule server restarts. If one or more of their plugins is having a license validation issue during those restarts, it can take the entire server offline.
For this reason, we strongly recommend a failsafe mechanism such as falling back on a previous license validation response whenever there is a communication issue with the validation authority. You can do this securely by implementing cryptographic signed responses, which will allow you to cache license check responses even in plain text, and validate them even offline. You can use this to verify when the response was issued, who issued it, and that it is unmodified.
BuiltByBit offers signed JWTs (JSON Web Tokens) as an optional response for our Ultimate API, so if you’re using our Ultimate API for your license validation needs, most of the work has already been done for you. You can read more about how to request and validate a JWT response in our Ultimate API wiki.
Since our JWT responses include the original request, you may even consider including hardware information within the initial API request, so that when it is signed and returned, you can compare that information with the hardware information available at the time that you are falling back on that response to ensure that the hardware is the same as it was initially. You can also refer to the “iat” aka “issued at” date to decide when to discard an old response for being too stale.
For most creators, it is unavoidable that we’ll be unable to actively participate in and maintain the projects we currently work on forever. We’ll grow old, our focuses will shift, and we may become entirely unavailable. Just as it would be unfair to expect that our creators support their products for eternity, it would also be unfair to allow buyers to have their products suddenly stop functioning once a creator moves on. For that reason, it’s important to consider how you’re going to handle your product’s end-of-life responsibly.
For products that require no real maintenance such as graphics, builds or similar situations, that might entail only the bare minimum such as unpublishing those products once you know you’re no longer going to be available to provide support to your buyers in the near future. BuiltByBit does automatically do this for creators who have not logged in for one year, with an email reminder sent a few weeks before.
However, for products that depend on online services such as a license validation server, it might be more appropriate to release a version without that dependency before those servers expire or configure the software to skip the license check past a certain date. For BuiltByBit buyers, if you’re not wanting to remove the license validation entirely, you can consider swapping your own license validation service with BuiltByBit’s Ultimate API. In an upcoming update, our license validation endpoint will be free to all users regardless of Ultimate subscription status, so even if your subscription expires you can ensure that your products will continue to function as expected.