Guides // FiveM // Licensing

How to protect and license your FiveM scripts

If you sell FiveM resources, two different problems both get called protection. One is stopping someone from reading and copying your code. The other is controlling who is allowed to run it and on how many servers. They need different tools, and the strongest setup uses both.

Problem one

Keep the code from being copied

Cfx.re's Asset Escrow is the platform answer to code copying. You upload a resource through the keymaster and select files to encrypt. Cfx encrypts the client and server Lua and supported asset files, replaces the source with encrypted binaries, and ties the asset to the buyer's server license. The buyer runs it but cannot read or edit the protected files. You can leave configuration readable with the escrow_ignore directive in your fxmanifest. It is good at what it does: the raw source does not ship to the customer.

  • Encrypts selected Lua and supported asset files on Cfx servers.
  • Authenticates against the buyer's keymaster server license.
  • escrow_ignore keeps config and chosen files editable.

The gap

Where escrow stops

Escrow protects the code, but it is Cfx-managed and scoped to FiveM assets tied to a keymaster license. It does not give you your own record of who bought what, per-customer activation limits you control, the ability to revoke a specific abuser on demand, or any protection for products that are not FiveM escrow assets, like a Node service, a web panel, or a Discord bot. For that you need a license layer you own.

Problem two

Control who can run it

A self-hosted license server issues a key on each sale, validates it when the product boots, and lets you cap activations, revoke abuse, and expire keys, all from your own database. Because validation is a single HTTP request, it works from any product in any language, not just FiveM Lua. That is the difference between renting the platform's protection and owning your licensing.

The tool

AL License System

AL License System is that layer, and it is what runs the appleluis.ltd store itself. Keys are HMAC-signed so forged keys are rejected before a database hit, activations bind to a server fingerprint with a cap you set, and you get validate, revoke, and expire states with an audit log. It runs on Cloudflare Pages Functions and D1, so there is no server to babysit, and it ships with Node and FiveM Lua validate clients. Use it alongside escrow: escrow hides the code, the license server controls the keys.

Questions

Is Cfx Asset Escrow enough by itself?

It is enough to stop casual code copying for FiveM Lua and supported asset files. It does not give you your own license records, revocation, or activation caps you control, and it does not cover non-FiveM products. Pair it with a license server for that.

Can I license a Node service or web panel this way?

Escrow cannot, it is for FiveM assets. A self-hosted license server can, because validation is just an HTTP POST that any language can make. AL License System ships Node and Lua clients as examples.

What happens when a customer abuses a key?

With a license server you own, you revoke that key and it fails validation on the next boot, and you can see the activation history behind the decision. Escrow alone has no such control.

Do I have to choose escrow or a license server?

No, and you should not. Escrow protects the source, a license server controls the keys and covers products escrow cannot. The two solve different halves of the same problem.