PHPackages meumouse/mds-php-sdk - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Authentication & Authorization](/categories/authentication) 4. / 5. meumouse/mds-php-sdk ActiveLibrary[Authentication & Authorization](/categories/authentication) meumouse/mds-php-sdk ==================== WordPress PHP SDK for the Modular Distribution Service (MDS): licensing, signed update checks, version rollback and anti-piracy for plugins and themes. v1.0.0(today)00GPL-2.0-or-laterPHPPHP >=7.4CI passing Since Jun 18Pushed todayCompare [ Source](https://github.com/meumouse/mds-php-sdk)[ Packagist](https://packagist.org/packages/meumouse/mds-php-sdk)[ Docs](https://meumouse.com)[ RSS](/packages/meumouse-mds-php-sdk/feed)WikiDiscussions main Synced today READMEChangelog (1)Dependencies (5)Versions (2)Used By (0) MDS PHP SDK =========== [](#mds-php-sdk) WordPress PHP SDK for the **Modular Distribution Service (MDS)**. Drop it into any plugin or theme to get **licensing**, **signed update checks**, **version rollback** and **anti-piracy** — all talking to the MDS API in a controlled, performance-friendly way. - **No constant polling.** Update checks ride WordPress's own update cron and are cached in transients (default 12h). License validation runs once a day via WP-Cron with per-site jitter. Nothing happens on a normal front-end request. - **Anti-piracy by design.** The API signs responses with ed25519; the SDK verifies every license/update response with an embedded public key and refuses to act on unsigned or tampered data. A "nulled" build cannot forge a valid license nor fetch a genuine update package (downloads are token-gated server-side). - **WordPress best practices.** WP HTTP API, transients, WP-Cron, capabilities, nonces, i18n, multisite-aware storage, and a collision-safe loader. - **Zero runtime dependencies.** Uses `ext-json` and `ext-sodium` (bundled with PHP 7.2+). Requirements ------------ [](#requirements) - PHP **7.4+** - WordPress **5.8+** - `ext-sodium`, `ext-json` Installation ------------ [](#installation) ``` composer require meumouse/mds-php-sdk ``` > **Embedding in a distributed plugin/theme:** prefix the namespace at build time with [Strauss](https://github.com/BrianHenryIE/strauss) (or Mozart) so multiple products can ship different SDK versions without class clashes. See [Namespace prefixing](#namespace-prefixing). Quick start ----------- [](#quick-start) ``` require_once __DIR__ . '/vendor/meumouse/mds-php-sdk/mds-sdk.php'; add_action( 'mds_sdk_loaded', function () { \MeuMouse\MDS\SDK\SDK::register( array( 'product_slug' => 'my-plugin', // matches the MDS product slug 'type' => 'plugin', // 'plugin' | 'theme' 'file' => plugin_basename( __FILE__ ), 'current_version' => '1.0.0', 'api_base_url' => 'https://api.meumouse.com', 'api_key' => 'mds_live_xxx', // public, low-privilege product key 'public_key' => 'BASE64_ED25519_PUBLIC_KEY', 'item_name' => 'My Plugin', 'settings_parent' => 'options-general.php', // optional auto License submenu ) ); } ); ``` For a theme, set `'type' => 'theme'` and `'file' => get_stylesheet()` (the stylesheet directory name). ### Configuration keys [](#configuration-keys) KeyRequiredDefaultDescription`product_slug`✅—MDS product slug.`file`✅—Plugin basename (`dir/file.php`) or theme stylesheet.`current_version`✅—Installed version (SemVer).`api_base_url`✅—MDS API base URL.`api_key`✅—Public per-product API key (scopes: `updates:check`, `licenses:activate`, `licenses:deactivate`).`public_key`✅—Base64 ed25519 public key used to verify signed responses.`type`—`plugin``plugin` or `theme`.`item_name`—slugDisplay name.`text_domain`—slugText domain for SDK strings.`channel`—`stable``stable` or `beta`.`settings_parent`—`null`Parent menu slug for an auto License submenu.`update_check_ttl`—`12h`Update-check cache lifetime (seconds).`grace_period`—`14d`How long a cached "valid" status survives an API outage.Rendering the UI yourself ------------------------- [](#rendering-the-ui-yourself) The auto submenu is optional. To embed the panels in your own settings page: ``` $integration = \MeuMouse\MDS\SDK\SDK::get( 'my-plugin' ); $integration->settings()->render(); // license activation panel $integration->rollback_page()->render(); // available versions / rollback ``` Query state programmatically: ``` if ( \MeuMouse\MDS\SDK\SDK::get( 'my-plugin' )->is_licensed() ) { // unlock premium behaviour } ``` How throttling works -------------------- [](#how-throttling-works) ConcernCadenceMechanismUpdate check~12h (configurable)Cached transient; refreshed only when WP builds its update transients.License heartbeatDaily (+ jitter)WP-Cron event per product.Version list (rollback)~12hCached transient; tokens minted only on an actual rollback.Errors / no license≤1hShort negative cache to prevent request storms.Admins can force a refresh with **Re-check now** (clears caches + revalidates). Anti-piracy model (honest) -------------------------- [](#anti-piracy-model-honest) - **Primary defence — signed responses.** The MDS API signs the exact response bytes with its ed25519 private key. The SDK recomputes `sha256(raw_body)`, checks a ±5min freshness window (anti-replay) and verifies the detached signature with the embedded public key. License/update calls **fail closed**when the signature is missing or invalid, so a fake/MITM update server cannot return a forged `valid: true`. - **Token-gated downloads.** Update and rollback packages are served only via short-lived, single-use server tokens — a patched client cannot mint them. - **Domain binding.** Activations bind to `home_url()` (network home on multisite), enforced both client- and server-side. - **Defence in depth.** Namespace prefixing and storing the public key / API base as constants raise the bar, but client-side code can always be patched — that is exactly why the cryptographic signature (which cannot be forged) is the real protection, not obfuscation. Namespace prefixing ------------------- [](#namespace-prefixing) When shipping inside a distributed product, prefix `MeuMouse\MDS\SDK` so two plugins can carry different SDK versions safely. Example Strauss config in your plugin's `composer.json`: ``` { "extra": { "strauss": { "target_directory": "vendor-prefixed", "namespace_prefix": "MyVendor\\Vendor\\", "packages": [ "meumouse/mds-php-sdk" ] } } } ``` The bundled `mds-sdk.php` loader still elects the newest embedded copy across all plugins via a shared, class-free registry, so even unprefixed copies won't fatal. Server keys ----------- [](#server-keys) Generate a key pair and wire both sides: ``` php bin/generate-keys.php ``` Set `MDS_SIGNING_ENABLED`, `MDS_SIGNING_PRIVATE_KEY` and `MDS_SIGNING_PUBLIC_KEY`in the `mds-api` environment, and embed the printed public key as each product's `public_key`. Development ----------- [](#development) ``` composer install composer test # PHPUnit composer analyse # PHPStan ``` License ------- [](#license) GPL-2.0-or-later. ### Health Score 36 — LowBetter than 79% of packages Maintenance100 Actively maintained with recent releases Popularity0 Limited adoption so far Community6 Small or concentrated contributor base Maturity33 Early-stage or recently created project Bus Factor1 Top contributor holds 100% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 0d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/f76e43a1095cd6a6264e435d29aea87bf276a0558101ecd4a733fbb25fbdeb11?d=identicon)[meumouse.com](/maintainers/meumouse.com) --- Top Contributors [![meumouse](https://avatars.githubusercontent.com/u/95049087?v=4)](https://github.com/meumouse "meumouse (1 commits)") --- Tags pluginwordpresslicensethemerollbackupdaterMDS ### Code Quality TestsPHPUnit Static AnalysisPHPStan Type Coverage Yes ### Embed Badge ![Health badge](/badges/meumouse-mds-php-sdk/health.svg) ``` [![Health](https://phpackages.com/badges/meumouse-mds-php-sdk/health.svg)](https://phpackages.com/packages/meumouse-mds-php-sdk) ``` ### Alternatives [afragen/github-updater A plugin to automatically update GitHub, Bitbucket, GitLab, or Gitea hosted plugins, themes, and language packs. 3.3k20.4k](/packages/afragen-github-updater)[afragen/git-updater A plugin to automatically update GitHub, Bitbucket, GitLab, or Gitea hosted plugins, themes, and language packs. 3.3k1.7k](/packages/afragen-git-updater)[appsero/client Appsero Client 25492.4k10](/packages/appsero-client) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)