How could you keep the user from leaking their license along with the product, though? The only way I can think of is to restrict usage of the license to a specific game id, but this could be easily spoofed since the logic for this would need to happen on the Roblox side.
Even with a script checking through HTTP service to see if the user has purchased your license, all the user has to do is:
- Open said script in Studio.
- Find the HTTP service license verification code
- Replace the verification code with an always-true result
Then the script would pull your assets for free.
Right. After lots of thought I came to the conclusion that the only truly secure way is not to have “client side security” which in this case the untrusted user client is the developer’s server, but to implement server side security. This basically means that to be secure your scripts must run on a different server. Hence RBXMod.
Another method I was considering while designing RBXMod is to actually secure game servers by making a Roblox account neither developer had direct access to and placing the assets of both in there. That has some obvious drawbacks so I went with the first method.
One of the major goals of RBXMod is to allow a market to grow around scripts. For that to happen, scripts need to be secured.
Currently in Roblox ToS if any script is shared on Roblox, you yield the right to sell it and it becomes public domain. Even if you put a license on it, you now have two legal documents conflicting with each other and a user base with a bunch of kids who really just don’t know or care.
If they delete it the system won’t work either way for him so that’s how we protect it from being stolen and stuff.
I actually thought about it, but I thought it wouldn’t work.
It isn’t exactly like that. There’s no script in the model other than the configurations and the require. “require” script will be the one that enables the system. If the user changes it, still doesn’t work.
No script will be provided in the model except the configuration and the “require” script which enables the system via HTTP and API, which verifies if the user have bought the product.
There are no private modules any more, so iirc the user can just download a copy of the module the require script requires, edit that, and replace the require script with it.
Well there’s something cause Check Me In has it privately with no scripts in it.
CheckMein hosts it on an External Server which is Secured with keys / other stuff Then its Secured, There is a way to still get the code but it will take ages to Do.
I’m jumping into this conversation blind, but generally you should just provide what the person has purchased from you when they pay and you can provide it via Discord, having an automated process to supply things that you’ve made to someone that buys it seems a bit useless in my opinion.
Edit: Obviously in this case you want to supply a “license” key that allows them to activate their product that they’ve purchased from you.
I’m primarily commenting based on your main post where you clarify:
That’s one of my questions, how to Check Me In works and how can I do this to my own.
I Will DM you now, and Explain how it works. then Recap it all here.
It took me 60 seconds to find the script CheckMeIn calls require on. Feel free to insert into Studio and edit as you please, despite the DMCA threat.
Yours would have the same flaw as this. The module can be grabbed by anyone, modified, and used to access your assets.
So how can this work and what do I do with it and where.
Its Obfuscated not the actual code.
What I’m saying is it doesn’t work because I was able to find their module script. By inserting it and editing yourself, you can get their assets without purchase. They won’t be happy, and I can’t comment on their legal claims.
The point is, the “protection” doesn’t work.
So I can make their assets “work” because they already have them free, just need a license key.
As I said in your DM Its all Obfuscated / Secured. There code is hosted on there API which uses Endpoints.
Alright. DM me information on how could I make my own API and use Endpoints and make the same thing so I can protect (at least for those who don’t know how to steal) my assets.