Every time a customer buys a theme, plugin, or template on Envato Market, Envato generates a unique Purchase Code. It looks like this: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (a UUID v4 string).
"item": "id": 12345678, "name": "SuperTheme - Responsive WordPress Theme", "author_username": "themeguru" , "license": "Regular License", "supported_until": "2025-12-31T00:00:00+00:00", "buyer": "john_doe_123", "purchased_at": "2024-01-15T10:30:00+00:00", "amount": "59.00", "currency": "USD"
// Pseudocode $cacheKey = md5($purchaseCode); $cached = getFromRedis($cacheKey); if ($cached) return $cached; // else call API, store result, return. ❌ Pitfall 1: Verifying on the Client Side Never verify a purchase code using JavaScript (frontend). The API token would be exposed, and anyone could steal it.
This 36-character code is the proof of purchase for every digital item sold. Yet, for developers and website administrators, simply having this code is not enough. The critical challenge lies in —distinguishing a legitimate customer from a fraudster using a fake or stolen code. -EXCLUSIVE- Envato Purchase Code Verifier
| Solution | Type | Best For | |----------|------|-----------| | | DIY | Developers wanting full control | | Freemius | SDK + SaaS | WordPress plugin sellers needing licensing & updates | | LiquidWeb’s Envato Verifier | PHP Library | Quick integration into existing apps | | Patreon-style gateways | Custom | SaaS platforms using Envato as a payment proxy |
Always use /v3/market/author/sale . ❌ Pitfall 3: Ignoring Support Expiry Many developers check only that the code exists. But if your item includes support, you must check the supported_until field.
However, as of this publication, no official timeline exists. Until then, third-party tracking remains necessary for anyone selling self-hosted software. The Envato Purchase Code Verifier is not just a technical tool; it is the bedrock of trust in the Envato marketplace ecosystem. For sellers, it protects revenue. For buyers, it ensures legitimate access. And for the marketplace as a whole, it prevents abuse. Every time a customer buys a theme, plugin,
Always verify on your own backend server. ❌ Pitfall 2: Using the Wrong API Endpoint Some outdated tutorials use the deprecated market:shortcode endpoint. That no longer works.
catch (Exception $e) echo "Verification failed: " . $e->getMessage();
// Usage $code = $_POST['purchase_code'] ?? ''; $token = 'YOUR_SECRET_API_TOKEN'; try $saleData = verifyEnvatoPurchaseCode($code, $token); if ($saleData) echo "✅ Valid license for: " . $saleData['item']['name']; // Now check if this code has been used before (your own DB) else echo "❌ Invalid purchase code."; ❌ Pitfall 1: Verifying on the Client Side
Whether you copy-paste the PHP function above, integrate an SDK, or wait for Envato’s next evolution, one thing is certain: Have questions about implementing your own verifier? Need an advanced multi-site license tracker? Contact our editorial team—we may feature your solution in an upcoming exclusive.
If you sell WordPress themes, use the Envato Market plugin (free) combined with a custom API call for additional validation. If you sell standalone PHP scripts, build your own lightweight verifier as shown above. Part 7: The Future – Envato’s New Licensing API (Rumors & Reality) Industry insiders (speaking anonymously) suggest Envato is exploring a more granular licensing API that would include activation limits and domain whitelisting—features long requested by major authors.
If the code is invalid, you get a 404 Not Found or 403 Forbidden error.