# Secure, Non-Shareable Ebook Delivery — Strategy & Recommendation

> How we issue each purchaser an individualized, hard-to-share link to their Poki Yoki guide — automatically on Shopify checkout (incl. threshold-gifted ebooks). Compiled by a 5-agent research + synthesis swarm (2026-06-19). Proportional to a $7–12 product: deter casual sharing, don't build a fortress that hurts conversion.

## Recommendation
Build a self-hosted, first-party token-gate on the Cloudflare stack you already run (Workers + KV/D1, same account as poki-arcade, Shopify Admin API already wired, Turnstile already in play) rather than bolting on a DRM app. The canonical product is the interactive HOSTED web guide gated behind a per-order signed token; the watermarked PDF is a capped companion download for offline reading. This keeps buyers inside your funnel/points economy, makes threshold-GIFTED issuance trivial (mint a token when an order crosses a spend tier in the same webhook), and stays first-party — critical because your privacy policy currently forbids cross-site/third-party tracking. Proportionality is the whole game on a $5 item: the goal is to make casual sharing socially awkward and individually attributable, NOT to build an un-pirateable fortress. Off-the-shelf alternative if you want to ship in days instead of weeks: Sky Pilot Growth (~$50-55/mo) covers PDF stamping + unique per-order links + login gate + download caps + IP alerts in one app — but it does not host your bespoke interactive JS guide, so you'd still gate that yourself. Use Sky Pilot only as a stopgap; the Worker is the better long-term fit and you already own every piece of it.

## The access model
Two layers. (1) PRIMARY: token-gated HOSTED web reader. On checkout, mint a signed HMAC/JWT token bound to order ID + buyer email + guide SKU. Clicking the link (from the order-confirmation email AND the Shopify Thank-You page, to beat email-deliverability gaps) sets an HttpOnly Secure session cookie; the guide renders server-side from a Worker and is never delivered as a downloadable bundle. Persistently render the visible watermark line ('Licensed to {first name} · {email} · Order #{n} · Not for redistribution') in the reader header/footer from the order record. (2) COMPANION: per-buyer watermarked PDF behind a short-lived (15-60 min, freely re-issuable) signed URL with a LOOSE download cap (~5) and a loose IP allowance (~2-3, to avoid carrier-NAT false lockouts). Magic-link, NOT mandatory PIN, for standard purchases — a PIN on a $5 item just generates lost-PIN support tickets and a shared link+PIN is equally shareable. Skip device/browser fingerprinting entirely: <50% accurate on the open web, breaks multi-device buyers, and triggers GDPR/ICO consent obligations that conflict with your privacy policy.

## Automated issuance on checkout
Subscribe a Cloudflare Worker to the Shopify 'orders/paid' (or 'orders/fulfilled') webhook — you already authenticate to the Shopify Admin API via the client-credentials grant in your sync scripts, so registering the webhook is one more Admin API call. On the event: verify the HMAC signature, read line items, and for each guide SKU mint a per-order token (random key in KV/D1 mapping token→{orderId, email, sku, watermark fields, downloadCount}), then send the magic-link via Cloudflare Email Service (the cloudflare-email-service skill is available; keep it first-party). Also surface the link on the order Thank-You page. For threshold-GIFTED guides: same webhook checks order subtotal against the gift tier and mints+emails a token for the bonus guide in the same handler — no separate flow. Wire revoke-on-refund by also subscribing 'refunds/create' (or 'orders/cancelled') to flip the token's status to revoked, which instantly kills both the hosted reader session and the signed PDF URL. This is the one capability the free Shopify native Digital Downloads app cannot do and why it's a dealbreaker here.

## QR codes
QR is a UX/distribution convenience, NOT a security layer. Two distinct uses: (1) the QR PRINTED ON THE CUP/PACKAGING is identical on every unit, so it can NEVER be the personalized link — it must point to a generic claim/landing page (a one-step page that doubles as Poki Rewards registration capture), which then issues the individualized token after the buyer authenticates/claims. (2) For a SPECIFIC buyer (e.g., a gift insert or post-purchase email), a dynamic QR can encode that buyer's signed token URL to deep-link straight into their reader. Self-host the dynamic QR (generate the PNG/SVG in the Worker) to avoid a per-scan SaaS fee and keep tracking first-party. Bottom line: cup-printed QR → generic claim page → mint token; never try to make a mass-printed code carry per-buyer access.

## Anti-share posture (realistic)
A thin deterrent + traceability layer, explicitly NOT real DRM — the indie-publishing consensus is that no DRM stops a determined pirate (Calibre/Sigil strip watermarks; caps don't stop redistribution after first download) and over-investing on a $5 item costs more than the loss. Three measures, in ROI order: (1) VISIBLE per-purchaser watermark on every PDF page and persistently in the hosted reader, drawn ONLY from name/email/order data the buyer already gave you — highest deterrent-per-dollar precisely because it's visible (people won't post a file stamped with their own name+email) and it doubles as your leak-tracing mechanism, with zero new tracking to conflict with the privacy policy. (2) Token-gated hosted access (the lever you uniquely hold: a gated web experience is far harder to 'repost' than a file) with loose expiry + concurrent-session/IP anomaly alerting and one-click token revoke. (3) A single-user, non-transferable LICENSE line on the guide + matching ToS/privacy clause ('licensed not sold; your link is individually keyed; sharing violates our Terms') — free, ~30 min of copy, and it's what makes the visible name/email watermark lawful to display and gives any future DMCA notice teeth. DMCA only reactively/self-filed if a guide actually ranks on a piracy site. Do NOT ship: invisible/forensic watermarking (zero deterrence, can't be seen), hard DRM, device-locking, or default PINs.

## Biggest implementation risk
Reliable, idempotent token issuance off the Shopify webhook is the single biggest implementation risk — if the 'orders/paid' webhook is missed, retried, or fires twice, buyers either get NO access link (immediate support tickets and refunds on a $5 impulse purchase, where any friction kills the sale) or duplicate/garbled tokens. Mitigate with: strict HMAC signature verification, idempotency keyed on Shopify order ID (so retries are safe), a Shopify Admin API reconciliation sweep that catches any order whose token was never minted, and ALWAYS surfacing the link on the Thank-You page as a deliverability-independent fallback so access never depends solely on email arriving. Get this delivery path bulletproof before adding any anti-share friction.

## Phased build plan
1. Phase 0 (legal gate, ~30 min copy + counsel sign-off): write the single-user non-transferable LICENSE line + ToS/privacy clause; confirm with the open COPPA/privacy counsel that stamping name/email/order into the file and storing email+order+IP for first-party access control is consistent with the privacy policy that currently forbids third-party/cross-site tracking. This gates everything else.
2. Phase 1 (MVP, the 80/20): Worker subscribed to Shopify 'orders/paid' webhook (HMAC-verified) that mints a per-order token in KV/D1 and emails a magic-link via Cloudflare Email Service + surfaces it on the Thank-You page; the Worker server-renders the gated hosted guide with the visible watermark from the order record; companion PDF behind a short-lived signed URL with a ~5 download cap. Reuse Turnstile (already integrated) on the claim/login step. Ship 1-2 guides first to validate.
3. Phase 2 (gift + QR + revoke): add the order-subtotal threshold check in the same webhook to auto-issue GIFTED guides; subscribe 'refunds/create'/'orders/cancelled' to revoke tokens; add the generic cup-QR → one-step claim/registration page (Poki Rewards capture) and self-hosted dynamic QR for per-buyer gift links.
4. Phase 3 (soft enforcement + scale): per-buyer PDF watermark stamping at delivery time; concurrent-session/IP anomaly alerting + one-click revoke in the Command Center; light title monitoring; roll out all 10 guides. Reactive self-filed DMCA only if a title actually ranks on a piracy host.
5. Fallback if engineering bandwidth is the constraint: stand up Sky Pilot Growth (~$50-55/mo) for PDF stamping + unique per-order links + download caps + login gate as a same-week stopgap, and migrate the hosted-reader gating to the Worker when ready. Never use the free Shopify native Digital Downloads app for these — no per-buyer binding, no watermark, no revoke-on-refund.

## The options compared
| Tool / approach | How it works | Pros | Cons |
|---|---|---|---|
| **SendOwl (Shopify integration)** | Connects to your Shopify checkout; on purchase it auto-delivers a secure link to the buyer (email + order confirmation). Generates unique per-buyer access, supports PDF stamping that embeds buyer name/email/order # into each PDF (so a leaked file traces back to the buyer), expiring links (set to expire after N days), download-attempt limits, password/PIN locking, and streaming limits for video. You can revoke download access for an order from the Order Details page and on refund. Works for your PDF deliverable; the interactive HTML guide would still need to be hosted separately (SendOwl is file/stream-centric, not an arbitrary web-app host). | Best all-round DRM feature set for the requirement: per-buyer PDF watermarking, expiring links, attempt limits, PIN lock, AND explicit revoke-on-refund. Flat monthly fee with no per-order cut on paid tiers. Mature, widely used, strong Shopify integration. Proportional for an ebook catalog. | Pricing shifted UP in 2025 and is now uncertain/variable — Growth ~$15/mo, Pro ~$39/mo, but some merchants reported jumps to $100+/mo after the repricing; verify your exact quote before committing. The free/Starter tier takes ~5% per order. Does not host your interactive HTML guide — that stays a separate concern. Could not fully confirm exact per-link uniqueness mechanics from current docs (flagged). |
| **Sky Pilot ‑ Digital Downloads (best fit for the HOSTED interactive-guide model)** | On checkout, instantly emails a secure link AND exposes purchased content via a branded delivery page hosted INSIDE your Shopify store. Critically, it integrates with Shopify customer accounts: the buyer logs into their account to access purchased files/videos, so access is tied to the authenticated customer rather than a shareable raw URL. Supports PDF stamping, download limits, link expiration, login gates, and IP-based sharing alerts. Native streaming (Vimeo/Wistia) means an interactive/video guide can be delivered as gated streamed content, not a downloadable file. | Strongest match for the WEB-guide nuance: login-gated, in-store branded access page ties access to the customer account = inherently harder to share than a link. Has PDF stamping + limits + expiry + IP alerts too, so it also covers the PDF. Unlimited products/orders on Growth. Best single-app answer if you want hosted access + download in one. | Growth plan is pricier (~$50-55/mo) with bandwidth overages ($1/GB over 200GB) — bandwidth cost scales if guides are media-heavy. Free tier is tiny (100MB/2GB). Login-gate adds checkout/access friction that can dent conversion on $5 items (proportionality flag). Doesn't host a fully custom interactive HTML app — it gates files/streams, so a bespoke JS guide may still live on your own infra. |
| **EDP ‑ Easy Digital Products** | Attach files to products/variants; auto-emails the buyer a download link on checkout with custom download/thank-you pages. Provides license keys, PDF stamping/watermarking, set download limits, access codes, files-by-URL, and API. Pricing is order-volume based. | Cheapest credible DRM-capable option: Free (30 orders/mo, 3 products), Pro tiers $14.99 / $24.99 / $44.99/mo by storage, +$0.15 per extra order over 100/mo. Has the two features that matter most here — per-buyer PDF stamping AND download limits — plus license keys and access codes. Very proportional for $5 ebooks and a 10-title catalog. | Per-customer UNIQUE links and time-limited/EXPIRING links are NOT clearly documented as features (flagged uncertainty — confirm with vendor before relying on expiry). Revoke-on-refund not explicitly documented. File/download-centric — no hosted interactive-guide/streaming model like Sky Pilot. $0.15/order overage can add up at scale but is trivial at low volume. |
| **BookFunnel (ebook-specialist, via webhook/Zapier — no native Shopify app)** | Upload the ebook to BookFunnel; map it to a Shopify product by tag/SKU. On purchase, Shopify fires a webhook (direct or via Zapier) that triggers BookFunnel to deliver. EPUB files are watermarked with the buyer's identifying info; you can personalize delivery emails, set link expiration, and apply download limits. BookFunnel never touches the money — Shopify handles the sale, BookFunnel only delivers. | Purpose-built for ebooks with genuine per-buyer EPUB watermarking and a polished cross-device reader. Cheap on an annual basis (plans from $20/yr; Delivery Actions/expiry need Mid-List $100/yr+). Excellent reader UX for a parenting-guide audience. | No native Shopify app — relies on webhook/Zapier glue = more setup and a second vendor/dependency. Watermarking is strongest for EPUB; PDF support is weaker than dedicated PDF stampers. Adds a separate login/system the buyer touches. Doesn't host your bespoke interactive HTML guide. Best only if you ship true EPUB ebooks, which your interactive-HTML product is not. |
| **Shopify native Digital Downloads (free, baseline)** | Free Shopify-made app: one file per product, hosted by Shopify (5GB store cap), download link in order confirmation + email. Supports a finite download-count limit and an expiration window per variant; you can manually re-send a fresh link from the order admin. | Free, zero extra vendor, trivial setup. Has basic download-count limits + expiry. Fine as a stopgap or for the very lowest-friction path on $5 items. | DEALBREAKER for the non-shareable requirement: links/share-links are NOT tied to a specific customer or order, and there is NO PDF watermarking/stamping and no per-buyer binding. No license keys, no revoke-on-refund automation. One file per product is limiting. Not adequate where sharing = ToS/privacy violation. |
| **FetchApp** | Backend fulfillment that connects to Shopify and auto-sends files/license keys/access codes immediately after purchase. Per-product download limits, link expiration time, and an option to require the customer be logged in to access. | Veteran, reliable, free plan for up to 25 products (fits 10 guides). Has download limits, expiring links, and a login-required option — covers the core 'don't make it a forever-open public link' need at $0. | Per-buyer PDF watermarking/stamping is not a documented strength — weaker on traceability than SendOwl/EDP/BookFunnel. Older, more utilitarian UX. No hosted interactive-guide model. Revoke-on-refund not clearly documented. |
| **Gumroad / Thinkific / Teachable (off-Shopify platforms)** | Sell the guides on a separate platform: Gumroad (digital storefront with PDF stamping, license keys, unique download links) or Thinkific/Teachable (course platforms that gate hosted lessons behind per-student logins). | Gumroad has solid PDF stamping + unique links out of the box. Thinkific/Teachable natively host gated interactive content behind student accounts — conceptually closest to your interactive-guide model with zero DIY. | All take the buyer OFF your Shopify store, breaking the cup-system checkout, threshold-gift logic, points economy, and your funnel/attribution. Gumroad's 10% + processing fee is steep on $5 items. Course platforms are heavyweight and over-priced for a $5 PDF/guide. Threshold-gift issuance (gift at a spend tier) is hard to wire cleanly. Over-engineered for the use case — not recommended. |
| **Email magic-link to token-gated hosted reader (RECOMMENDED CORE)** | Checkout mints a signed HMAC/JWT token bound to email and order; emailed AND shown on the Shopify Thank-You page. Click sets an HttpOnly Secure session cookie; guide renders server-side, never a download. 15-60 min link expiry, re-issue freely. | Best fit for a hosted guide: nothing to redistribute. Bound to purchaser email (strongest soft-identity). No password, instant. HttpOnly avoids XSS. Re-issuable. | Relies on email deliverability (mitigate via Thank-You page link). Cannot stop screen-recording. You host gating, cheap on Workers. |
| **Signed expiring download URLs for PDF (RECOMMENDED COMPANION)** | Per-order signed URLs (HMAC-SHA256, S3-presigned, R2, or JWT RS256) binding path, expiry, order. Never unsigned expiry. 15-60 min; cap downloads and IPs at 2-3. Fileflare, Imprint Files, Sky Pilot automate it. | Standard, edge-fast. Kills naive link-sharing. Caps blunt mass distribution. Off-the-shelf. Keepable PDF buyers expect. | After download, free file. IP caps cause false-positive lockouts on carrier-NAT; keep loose. Short expiry annoys returners; pair with re-issue. |
| **Per-buyer PDF watermarking (RECOMMENDED, highest ROI)** | Stamp each PDF with buyer name, email, order (visible plus metadata). Fileflare and Sky Pilot auto, or a Worker at delivery. | Best deterrence-per-effort for 5 dollars. Zero friction. Social deterrent. Traceable to source order. | Discourages not prevents. Croppable or strippable. Not a lock. |
| **PIN/password gating** | Per-order PIN with link; reader or download requires it. | Real second barrier; good for GIFTED guides (no purchaser email) or pricier bundles. | Overkill for 5 dollars: friction plus lost-PIN tickets. Shared link plus PIN equally shareable. Use ONLY for gift-threshold flow. |
| **Device-lock via fingerprinting/cookie binding** | Bind to a device via fingerprint or first-device cookie/localStorage. | In theory ties a copy to one device. | NOT achievable on open web, NOT recommended. Accuracy under 50 percent; browsers randomize entropy; cookies clearable. Locks out multi-device buyers. Triggers GDPR/ICO consent. Over-engineering for 5 dollars. |
| **Stream-only / view-online-only** | Serve only via gated reader, remove PDF (Fileflare streaming-only). | Strong UI deterrent, no file to redistribute. Fits interactive format. | Buyers expect a keepable file; removing dents value and conversion. Screen-recording still possible. Best as default plus OPTIONAL watermarked PDF. |
| **Dynamic QR to claim then tokenized hosted access (RECOMMENDED)** | QR lands on a claim page; mint an order-bound token in KV; a Worker gates the guide and a signed PDF URL; paid buys get the link emailed via the orders webhook. | Personalization at claim time; order-bound; revocable; serves free and paid funnels; feeds registration; cheap. | More build than an app; claim friction; QR fee unless self-hosted; cannot stop session sharing. |
| **Shopify app, unique per-order links (LOW-EFFORT)** | Fileflare or Digitally unique-per-order with download caps, expiry, IP caps, watermarking. | Fastest; caps, expiry, IP limits, watermark; deters viral sharing. | Built for PDFs not a web app so guide needs a gate; binds link not device; subscription. |
| **Signed-URL or JWT with optional PIN/device (MAX-CONTROL)** | Signed token encoding order, email, IP, expiry; optional PIN and device fingerprint. | Strongest binding short of DRM; stateless; PIN and device make sharing hard. | Over-engineered for 5 dollars; friction hurts conversion; fingerprinting raises privacy concerns. |
| **A. Visible per-purchaser watermark (PDF page-stamp + on-screen in web guide) — THE PRIMARY DETERRENT** | On checkout, stamp every PDF page (e.g. top or footer): 'Licensed to {first name} · {email} · Order #{n} · Not for redistribution'. In the hosted interactive web guide, render the same line persistently (header/footer or faint repeating overlay) tied to the logged-in/token session. Payhip and Sky Pilot both do exactly this PDF stamping natively; for the web guide you inject it server-side from the order record. Use ONLY data the buyer already provided (name/email/order) — no new tracking, consistent with the existing privacy policy. | Highest deterrent-per-dollar: works *because* it's visible — people don't post files with their own name+email on them. Near-zero conversion impact (legit buyer barely notices). Cheap/native on Payhip & Sky Pilot. Doubles as traceability if a copy leaks. First-party data only, so no privacy-policy conflict. | Strippable by a technical user via Calibre/Sigil/PDF editor (locklizard, Payhip both concede this). Deters casual sharing, not determined pirates — but that's the correct target for a $5 item. |
| **B. Per-order token-gated HOSTED access link (+ expiry + download cap on PDF) — strongest lever you uniquely hold** | Because the product is a real interactive WEB guide (not just a file), keep the canonical experience behind your own auth: issue a unique signed token per order (JWT/HMAC or a random key in KV/D1) embedded in a one-per-buyer URL delivered on checkout. Token maps to the order; gate the hosted guide on it. Set a sensible PDF download cap (~5, Payhip/Sky Pilot default) and optional link expiry for the download (NOT the hosted access). Sky Pilot supports unique per-order links, login gates, download limits, IP alerts; or roll your own Cloudflare Worker + KV/D1 (you already run Workers/Pages). QR code on packaging/insert can deep-link to the buyer's token URL for the gifted-at-threshold flow. | The hosted guide can't be 'downloaded and reposted' the way a PDF can — sharing means sharing YOUR login/token, which you can rate-limit, expire, or flag on anomalous IPs. Plays to your existing Cloudflare/Worker stack. QR fits the packaging-insert / gift-threshold use case cleanly. Enables soft enforcement (revoke a leaked token) without hard DRM. | Token links are still forwardable (someone can paste the URL). Mitigate softly with expiry + concurrent-session/IP alerting, NOT hard device-locking (which generates support load and hurts conversion). Building your own gate is engineering time vs. just paying $25-55/mo for Sky Pilot Growth. Hosted-only would block offline reading, so keep the watermarked PDF as the companion download. |
| **C. Single-user non-transferable LICENSE + ToS/privacy clause (the legal spine)** | Add a short license to each guide's first page/checkout/landing: 'This guide is licensed, not sold, for personal non-commercial use by the purchaser. Your access link and copy are individually keyed to you and are non-transferable. Redistribution, resale, or sharing violates this license and our Terms of Service.' Mirror one line in ToS and in the privacy policy noting links are personalized to the buyer's order data. Pair with a visible © notice. This is what makes the watermark name+email lawful to display and gives DMCA notices teeth. | Free, ~30 min of copy. Converts 'sharing' from a vague wrong into a clear license breach, strengthening DMCA/account-termination grounds. Sets buyer expectations up front (the visible watermark then reads as enforcement of a stated term, not a surprise). Required groundwork for any takedown. | Purely contractual — deters honest people, not pirates. Must be consistent with the existing privacy policy (disclose that order data is stamped into the file/link). Worth a brief counsel review since the user already has an open COPPA/privacy-counsel gate. |
| **D. Reactive DMCA takedowns (only when a guide actually appears pirated)** | Monitor lightly (periodic Google search for guide titles; the visible watermark tells you WHICH buyer leaked). If a guide ranks on a piracy/file-host site, file a DMCA notice yourself to the host and to Google Search delisting — free to DIY, templates widely available. Escalate to a $99-199 takedown service only if it recurs. Do NOT chase the long tail. | Free to self-file; 70-90% removal within ~72h when host + search filings run together; Google delisting in 4-10 days. The single most useful legal tool for indies. Watermark makes the source buyer identifiable for account termination. | Whack-a-mole; reappears. Real cost is your time ($150-300 in labor-equivalent per DIY notice) — so reserve for cases that actually rank for your title or dent sales. Not worth it for scattered copies of a $5 guide. |
| **E. Forensic / invisible watermarking + hard DRM + default PINs — OVER-ENGINEERING, recommend AGAINST at this price** | Would mean embedding invisible per-copy identifiers (steganographic text/image markers) and/or Adobe-style DRM (EditionGuard) and/or mandatory PIN/password on every access. | Forensic marks survive some format conversion and give covert post-leak attribution; hard DRM blocks copy-paste. | Wrong tool for $5 items. Invisible watermark gives ZERO deterrence (pirate can't see it, so it doesn't change behavior) and is still defeatable; hard DRM and mandatory PINs measurably hurt conversion, generate support tickets, restrict device/format compatibility, and cost monthly fees + engineering — you'd 'spend more than the loss.' Reserve PIN as an OPTIONAL toggle for high-value bundles only, never the default. |

## Sources
- [Sky Pilot — Shopify digital downloads app (PDF stamping, download limits, login gates, IP alerts, per-order links)](https://apps.shopify.com/sky-pilot)
- [Sky Pilot — Customer Account Integration / gated delivery page](https://web.skypilotapp.com/blogs/how-to-guides/customer-account-integration-my-files-videos-button-integration)
- [SendOwl — Can I set a time limit for downloads? (expiring links)](https://help.sendowl.com/help/can-i-set-a-time-limit-for-downloads)
- [SendOwl — How do I revoke downloads for an order? (revoke-on-refund)](https://help.sendowl.com/help/how-do-i-revoke-downloads-for-an-order)
- [EDP – Easy Digital Products on Shopify App Store](https://apps.shopify.com/easy-digital-products)
- [Shopify Help Center — Digital Downloads native app (no per-buyer binding/watermark)](https://help.shopify.com/en/manual/products/digital-service-product/digital-downloads)
- [Shopify Dev — Tokengating overview](https://shopify.dev/docs/apps/build/blockchain/tokengating)
- [Shopify Webhooks Admin API tutorial (Hookdeck)](https://hookdeck.com/webhooks/platforms/how-create-shopify-webhooks-with-shopify-api-tutorial)
- [Fileflare — Prevent download sharing (signed URLs, caps, expiry, watermarking)](https://fileflare.io/docs/prevent-sharing/)
- [Curity — JWT best practices](https://curity.io/resources/learn/jwt-best-practices/)
- [VdoCipher — Token-based URLs and JWT](https://www.vdocipher.com/blog/token-based-urls/)
- [Mux — Securing playback with signed URLs](https://www.mux.com/articles/securing-video-playback-with-signed-urls)
- [Seresa — Browser fingerprinting in 2025 is not the cookie alternative you think](https://seresa.io/blog/data-loss/browser-fingerprinting-in-2025-why-ip-device-screen-hashing-is-not-the-cookie-alternative-you-think)
- [Cloudflare Workers protect digital products (Sophies Bureau)](https://sophiesbureau.com/digital-ops/cloudflare-workers-protect-digital-products-free)
- [Locklizard — Why social watermarking doesn't stop ebook piracy (and what it's good for)](https://www.locklizard.com/document-security-blog/ebook-social-watermarking/)
- [Verimatrix — Visible vs forensic watermarking](https://www.verimatrix.com/anti-piracy/faq/visible-vs-forensic-watermarking-what-s-the-difference/)
- [Payhip — Ebook piracy: pragmatic protections, accept some piracy](https://payhip.com/blog/ebook-piracy/)
- [U.S. Copyright Office — The DMCA (notice-and-takedown)](https://www.copyright.gov/dmca/)
- [Ceartas — True cost of a DMCA takedown (DIY vs service)](https://www.ceartas.io/articles/dmca-takedown-cost)
- [Stern/NYU — Managing Digital Piracy: Pricing and Protection (economics of protection vs loss)](https://oz.stern.nyu.edu/papers/mdpfinal.pdf)
- [Bitly — Static vs Dynamic QR Codes](https://bitly.com/blog/static-vs-dynamic-qr-codes/)
- [OpenQr — QR codes on product packaging](https://openqr.io/qr-codes-on-product-packaging/)

*Directional research — validate vendor features/pricing before committing. Strategy guidance, not legal advice.*
