Documentation

Step 1: Create your account

Sign up at obfuscura.com/register. Every account starts with a 14-day free trial with full access. No credit card required.

Step 2: Create a project

From your dashboard, click New Project. Give it a name (e.g., "My WordPress Plugin"). Each project gets its own API key and can have multiple license types.

Step 3: Encode your files

Navigate to the Encode tab. Upload a single PHP file or ZIP archive. Select encoding options and click Encode. Protected files are ready in seconds.

Step 4: Include the loader

Download the runtime loader from your project settings. Place obfuscura-loader.php in your project root and add:

require_once __DIR__ . '/obfuscura-loader.php';

Your encoded files now execute normally. The loader handles license validation transparently.

Step 5: Issue a license

Go to Licenses > Create License. Choose a license type, set restrictions, and generate the key. Send it to your customer with the encoded files.

What gets encoded

Obfuscura encodes .php files only. Non-PHP files (images, CSS, JavaScript, configs) pass through unchanged. Upload your entire project as a ZIP and only PHP files are transformed.

Encoding options

String Encryption: Encrypts all string literals. Enabled by default.

Control Flow Flattening: Restructures logic flow to resist decompilation. Enabled by default. May increase file size 10-20%.

Dead Code Injection: Inserts realistic non-functional code paths. Optional. Increases analysis time significantly.

License Binding: Requires valid license at runtime. Disable for open-core models where some files are free.

Batch encoding via API

curl -X POST https://obfuscura.com/api/v1/encode \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -F "file=@my-plugin.zip" \
  -F "options[string_encryption]=true" \
  -F "options[control_flow]=true" \
  -o my-plugin-encoded.zip

How it works

The loader registers a custom stream wrapper and autoloader. When an encoded file is included, the loader intercepts the request, decodes the file in memory, and passes it to PHP's execution engine. The decoded source never touches disk.

The loader also handles license validation on a configurable schedule, caching results locally.

Configuration

The loader reads from environment variables or obfuscura.json:

{
  "license_key": "OBF-XXXX-XXXX-XXXX-XXXX",
  "project_api_key": "proj_xxxxxxxxxxxxx",
  "validation_interval": "daily",
  "offline_grace_hours": 72,
  "log_level": "error"
}

Hosting compatibility

Works on any environment running PHP 8.0+. No PECL extensions, no php.ini changes. Tested on:

• Shared hosting (cPanel, Plesk, DreamHost)
• VPS (DigitalOcean, Linode, Vultr)
• Cloud (AWS EC2, GCP, Azure)
• Managed platforms (Laravel Forge, Ploi, ServerPilot)
• Containers (Docker, Kubernetes)

License types

Define license types as templates with rules:

• Duration: Perpetual, fixed-date, or relative (365 days from activation)
• Activation limit: How many domains/servers per key
• Domain locking: Bind to specific domains
• Features: Feature-gated licensing
• Validation interval: Per-request, hourly, or daily
• Offline grace: How long files work without API access

Issuing licenses via API

curl -X POST https://obfuscura.com/api/v1/licenses \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "license_type_id": 1,
    "customer_email": "client@example.com",
    "customer_name": "Acme Corp",
    "domains": ["acme.com", "staging.acme.com"],
    "expires_at": "2027-01-01"
  }'

Returns a key like OBF-A1B2-C3D4-E5F6-G7H8. Include this key in the obfuscura.json that ships with your encoded project.

Revoking licenses

Revoke instantly from the dashboard. Encoded files stop after the offline grace period expires. Modify domains, expiration, or activation limits at any time.

Overview

Obfuscura's REST API lets you encode files as part of your deployment pipeline. Add a single step to your workflow and ship protected artifacts without manual intervention.

GitHub Actions

# .github/workflows/release.yml
- name: Encode PHP files
  run: |
    curl -X POST https://obfuscura.com/api/v1/encode \
      -H "Authorization: Bearer ${{ secrets.OBFUSCURA_KEY }}" \
      -F "file=@dist/my-plugin.zip" \
      -F "options[string_encryption]=true" \
      -F "options[control_flow]=true" \
      -o dist/my-plugin-encoded.zip

GitLab CI

# .gitlab-ci.yml
encode:
  stage: build
  script:
    - curl -X POST https://obfuscura.com/api/v1/encode
        -H "Authorization: Bearer $OBFUSCURA_KEY"
        -F "file=@dist/my-plugin.zip"
        -o dist/my-plugin-encoded.zip
  artifacts:
    paths:
      - dist/my-plugin-encoded.zip

Any REST-capable runner

Jenkins, Bitbucket Pipelines, CircleCI, or any system that can execute a curl command works. Store your API key as a secret and call the encode endpoint. Results are streamed back as a download — no temporary storage on our side.

Unlimited encoding

All plans include unlimited encoding runs via the API. No per-encode fees and no per-server charges.

Connect your Stripe account, map products to license types, and Obfuscura will automatically:

• Create a license when a new subscription starts
• Suspend a license when a payment fails
• Reactivate a license when payment succeeds
• Revoke a license when a subscription is canceled

Your entire sales workflow — from checkout to code protection — is fully automated.

"License validation failed"

Check license_key and project_api_key in obfuscura.json. Verify the license is active and domain matches. Check firewall rules for outbound HTTPS on port 443.

"Loader integrity check failed"

The loader file was modified. Re-download a fresh copy from your project settings. The loader includes a self-verification checksum.

Encoded files not executing

Ensure the loader is required before any encoded files. It must be the first require in your entry point. Verify PHP 8.0+: php -v.