RSA JWT Licensing: How I Made Piracy Pointless

Plugin piracy is inevitable. The question isn’t whether someone will try to use your plugin without paying, it’s whether the effort is worth their time. With RSA JWT licensing, we made it not worth the effort.

Asymmetric Tokens

The License Master server holds the private key. Client plugins hold only the public key. When a site registers, the master issues an RS256-signed JWT token containing the site UUID, license status, expiration, and capabilities. The client verifies the signature with the public key, but can never forge a new token.

This is the fundamental improvement over shared-secret HMAC. With HMAC, anyone who can read the plugin source code can see the secret and forge tokens. With RSA, reading the source gives you the public key, which is public by design. The private key never leaves the master server.

Sentinel

The Sentinel is a must-use plugin (MU-plugin) that monitors file integrity via hash checks and verifies colocation proof, ensuring the plugin actually runs on the domain the license was issued for. It can’t be deactivated from the WordPress admin UI because MU-plugins load automatically.

If the Sentinel detects tampering or a colocation mismatch, it sets a downgrade flag. The next time the license gate runs, it sees the flag and blocks premium features. The flag is per-plugin, so one compromised plugin doesn’t affect the others.

Heartbeat

Every 10 minutes, a WP-Cron job pings the License Master to refresh the token. If the server is unreachable, a 120-minute offline grace period prevents false lockouts. After grace expires, the plugin degrades to free-tier functionality until connectivity is restored.