LICENSE

Dokan Conditional Category Attributes — Authorization & Licensing Notes

Version: 3.5.0 (Server) / 3.0.1 (Plugin)
Developer: OpequeGlass
Last Updated: June 2026

1. Authorization System Overview

Dokan Conditional Category Attributes uses a server-bound authorization system that validates license keys against the OpequeGlass licensing server. The system is designed to protect commercial distribution while ensuring legitimate customers retain full feature access.
Key Principles:
  • Authorization is required for all attribute filtering features to function
  • First-activation expiry — the timer starts when you first activate, not when you purchase
  • Status is dynamic — recalculated from live database on every request (zero caching)
  • Domain-bound — each production domain consumes one activation slot
  • Graceful degradation — without active authorization, the plugin UI shows a lock overlay but preserves your configuration data

2. Authorization Tiers

Table

Tier Sites Duration Best For
Single Site 1 production + 1 staging subdomain 1 year from first activation Individual marketplace operators
Multi-Site 5 production domains 2 years from first activation Agencies managing multiple clients
Business Unlimited 3 years from first activation Large organizations, white-label deployments
Key Format: DKN-XXXX-XXXX-XXXX-XXXX (auto-generated, uppercase)

3. Status Definitions & Behavior

The authorization system uses four distinct statuses. Understanding these is critical for troubleshooting:
Table

Status Meaning Can Activate? How It’s Set
INACTIVE License exists but is not currently bound to any site  Yes Automatically when 0 active sites detected
ACTIVE Currently bound to one or more sites  Yes (if slots available) Automatically when ≥1 active site detected
EXPIRED Past expiry date (terminal state)  No Automatically when expiry_date < now()
SUSPENDED Manually blocked by admin (terminal state)  No Manually via admin panel
Important: Only EXPIRED and SUSPENDED statuses block activation. INACTIVE simply means “available to use.”

4. Activation Process

Step 1: Enter Authorization Token

Navigate to Authorization Manager in your WordPress admin menu. Enter your DKN- token in the activation field.

Step 2: Domain Resolution

The plugin extracts your site URL, strips the www. prefix, and transmits:
  • License key
  • Site domain
  • Site URL
  • API secret (for server validation)

Step 3: Server Validation

The server checks:
  1. Does the key exist?
  2. Is the status not expired or suspended?
  3. Does the domain already exist (reactivation) or are slots available?
  4. Is this the first activation? (If so, sets first_activation_date and calculates expiry_date)

Step 4: Local Storage

On success, the plugin stores:
  • Token, status, type, max sites
  • Expiry date and remaining days
  • First activation date
  • Activated-at timestamp
  • Integrity fingerprint (anti-tamper)

5. Expiry Mechanics (First-Activation Based)

Unlike traditional licenses that expire from purchase date, this system uses first-activation expiry:
plain

expiry_date = first_activation_date + expiry_years
Table

Tier Expiry Years Example
Single 1 year Activate Jan 15, 2026 → Expires Jan 15, 2027
Multi 2 years Activate Jan 15, 2026 → Expires Jan 15, 2028
Business 3 years Activate Jan 15, 2026 → Expires Jan 15, 2029
Before First Activation:
  • Status: INACTIVE
  • Expiry: null (displayed as “Waiting for first activation”)
  • The timer only starts when you click Activate
Auto-Correction: On every sync/validation, the server recalculates expiry_date from first_activation_date + product config. This prevents drift if the database is manually edited.

6. Domain Binding Rules

What Counts as a Site?

  • Production domains: example.com, shop.example.com — each counts as one binding
  • Staging subdomains: Typically permitted under the same root domain but may require verification
  • Localhost / .local: Permitted for development; may require manual override

Reactivation

If your domain is already registered (e.g., after a plugin reinstall):
  • The server updates last_checkin and returns “Already active”
  • No additional slot is consumed
  • Expiry is not reset

Site Migration

  1. Deactivate on the old domain first (via Authorization Manager)
  2. Activate on the new domain
  3. If the old domain is inaccessible, contact support with your token and proof of ownership

7. Deactivation

Client-Side Deactivation

Click Deactivate Authorization in the Authorization Manager. This:
  1. Opens a confirmation modal (prevents accidental clicks)
  2. Sends deactivate request to the server
  3. Marks the site as inactive in the database
  4. Triggers status sync (may set license to INACTIVE if no active sites remain)
  5. Clears all local authorization options
  6. Updates the UI to show the activation form (no page reload)

Admin-Initiated Deactivation (Server)

From the license server admin panel, you can:
  • Suspend a license: Blocks all activations/validations, pings all client sites to disable features
  • Deactivate a single site: Removes one domain from a multi-site license without affecting others

8. Feature Lock Behavior

When authorization is missing, expired, or suspended:
Table

Feature Behavior
Category attribute configuration Blocked — lock overlay with “Authorization Required” message
Existing attribute filters Continue working — frontend filtering is preserved
Plugin updates Blocked — update checker requires ACTIVE status
Support access Blocked — requires active authorization
Data Preservation: Your category-to-attribute mappings (_allowed_attributes term meta) are never deleted during deactivation. Reactivating the same license restores full functionality instantly.

9. Update Checking

The plugin contacts server to check for updates:
Requirements for updates:
  • Valid ACTIVE authorization
  • Current version transmitted to server
  • Domain validated against active sites list
Update response includes:
  • New version number
  • Download URL (signed)
  • Tested WordPress/PHP versions
  • Changelog sections

10. Integrity & Security

Anti-Tamper Measures

The plugin generates an integrity fingerprint from:
plain

md5(token + status + type + max_sites + API_SECRET + site_url)
If local options are manually edited, the fingerprint mismatch triggers a forced server re-sync. If re-sync fails, features are locked.

Zero-Cache Headers

All API responses include aggressive no-cache headers to prevent proxy/CDN caching of authorization state.

API Secret Validation

All server requests require a shared api_secret. Requests without it receive HTTP 401.

11. FastSpring Integration

For purchases through FastSpring:
  1. Order completed → Webhook creates license key in database
  2. Subscription renewed → expiry_date extended by tier’s expiry_years
  3. Subscription canceled → License set to INACTIVE
  4. Refund issued → License set to INACTIVE
Product Mapping:
Table

FastSpring Product License Type Max Sites Expiry
dokan-Business Business Unlimited 3 years
dokan-multi Multi 5 2 years
dokan-Single Single 1 1 year

12. Troubleshooting

“Authorization Required” Lock Overlay

  • Your license is inactive, expired, or suspended
  • Navigate to Authorization Manager and check status
  • Click Sync Now to refresh from server

“Maximum site limit reached”

  • Your tier’s site slots are full
  • Deactivate unused sites or upgrade to a higher tier

“License has expired”

  • Purchase a renewal through your original channel
  • The renewal extends from the original expiry date (no lost time)

“Server returned invalid response”

  • Check that your server can reach https://dokanconditionalattribute.com
  • Verify SSL/TLS is enabled on your hosting
  • Check server logs for blocked outbound requests

Sync Shows “Stale”

  • Last sync was >30 seconds ago
  • Click Sync Now or Quick Sync (AJAX, no reload)
  • If persistent, check server connectivity

13. Glossary

Table

Term Definition
Authorization Token Your DKN- license key
First Activation The moment you first click “Activate” — starts the expiry timer
Integrity Fingerprint Cryptographic checksum preventing local option tampering
Site Slot One production domain binding
Terminal State expired or suspended — cannot be changed by automatic sync
Zero Cache Aggressive no-cache headers preventing stale authorization data
These notes reflect the current implementation as of License Server v3.5.0 and Plugin v3.0.1. For the latest terms, always refer to your purchase agreement and the live documentation.