For paid resources, you can take advantage of placeholders.
You can verify that these placeholders are authentic by using the
We recommend that you also use Polymart's automatic obfuscator to combat piracy. The obfuscator will
automatically encrypt all of the placeholders in your .jar file, among other things, making it much
harder to pirate your plugin.
is an advanced placeholder that can not
be spoofed, and can be used to get information about the resource download and the identity of the
user who downloaded. It impossible to generate a valid signature without downloading the resource from Polymart.
You can get more information about it in the advanced placeholders section below. If you're looking for
something that's a little easier to use, you should check out the %%__VERIFY_TOKEN__%%
Remember that anyone can modify a file
once it's downloaded, so there's no way to make fail-safe piracy protection.
Assuming no one has tampered with your download,
is replaced with the user's ID.
The user's profile at https://polymart.org/user/%%__USER__%%
is replaced with the user's username on Polymart.
Keep in mind that users can change their usernames, so if you need to uniquely identify a user,
you should use
is replaced with your resource's ID on
Polymart. The resource is at https://polymart.org/resource/%%__RESOURCE__%%
is replace with a unique identifier for the download
is replaced with the version of your
resource that was downloaded from Polymart. This is the version on Polymart, and will only match
what you have in the plugin.yml if you give the two the same value
is replaced with a token that can be used
to verify the download using the /v1/verifyPurchase
If you want to make use of the API action, you'll also need to include all of the placeholders on this page.
is replaced with a "1".
So, if your resource was downloaded from polymart, this will be replaced with "1". If it
was downloaded from somewhere else, it will stay as "%%__POLYMART__%%".
is replaced with an ID for the agent that downloaded
this resource. If the resource was downloaded directly from Polymart, this will be a string
of 0's. If it was downloaded using a token from the Developer API
this will be the ID of
is replaced with the time at which
the resource was downloaded (seconds in epoch time
If there's any placeholders that you think would be useful, but aren't currently supported, shoot us a message
and we'll add them as soon as possible
You can add custom placeholders to your resource, and even make them different for each version, if you want!
You can also use this for anti-piracy by doing operations on information about the downloading user.
For more information, please Contact Us
If you plan to use placeholders for automatic piracy prevention, you must first
test your system and ensure that it doesn't generate false positives
is replaced with the websafe
contents of the 2048-bit RSA public key for your
resource. The contents of RSA keys are normally base64-encoded, but remember that Polymart turns the base64 into websafe
base64. Websafe base64-encoding replaces
all "+" with "-", replaces all "/" with "_", and removes all "=" from the original base64 string. Use this public key to decrypt %%__SIGNATURE__%%
The key is encoded according to the X.509 standard.
For example, it might look something like this:
is replaced with a web-safe
string. It encodes an encrypted JSON string, which is encrypted using your resource's RSA private key (which only Polymart knows).
The encrypted JSON string contains information about the resource download.
The string can be decrypted using the RSA public key in %%__RSA_PUBLIC_KEY__%%
and is padded using OpenSSL PKCS1
The JSON string that is encrypted will contain the following information:
This is then encrypted using your resource's private key. Then, the encrypted string
is encoded as websafe base64. The result might look something like this:
You can then decrypt this using your resource's public key, %%__RSA_PUBLIC_KEY__%%
to retrieve the above JSON.
If you want to test your system, decrypt the above websafe base64-encoded example with the example
public key given above in %%__RSA_PUBLIC_KEY__%%
Remember that OpenSSL PKCS1 padding is used!
You should get this: