Protect, License, and Ship
Without Changing How You Work.
Encoding, licensing, payment automation, and CI/CD integration — one platform, nothing bolted on.
No Server Extensions Required
Unlike ionCube, Zend Guard, and SourceGuardian, Obfuscura does not require a compiled C extension on your customers' servers. Our pure-PHP loader is a single file — one require statement and it works everywhere: shared hosting, Docker, AWS, Kubernetes.
Full REST API on Every Plan
Encode files, create licenses, validate activations, and manage your entire workflow programmatically. No other PHP encoder offers a public API. Build custom integrations, automate CI/CD pipelines, and connect to any system that speaks HTTP.
Multi-Layer Bytecode Encoding
Five transformation stages, each adding another barrier between your source and anyone attempting to reconstruct it.
Stage 1 — AST Parsing
Source parsed into an abstract syntax tree. Comments, whitespace, and formatting stripped. All identifiers catalogued for renaming.
Stage 2 — Control Flow
Branches, loops, and calls restructured into a state-machine pattern. Runtime behavior identical, but decompiled output unreadable.
Stage 3 — String Encryption
Every string literal encrypted with a key derived from the file's license binding. Decrypted at runtime, in memory only, never written to disk.
Stage 4 — Dead Code
Realistic but non-functional code paths woven throughout, dramatically increasing time and effort required for manual analysis.
Stage 5 — Bytecode
Final output compiled to a compact binary format executed directly by our runtime loader. The original PHP cannot be reconstructed.
Polymorphic Output
Every encoded file is unique — even from identical source. Re-encoding produces different bytecode each time, defeating pattern-based attacks.
Protect More Than Just PHP
Your application ships config files, templates, and data schemas. Encrypt them too.
Template Encryption
Encrypt Blade, Twig, and Smarty templates so your HTML structure and business logic stay hidden. The loader decrypts them on the fly at render time.
Config & Schema Files
XML configs, JSON schemas, YAML definitions, and .env templates — anything sensitive your app ships can be encrypted and decrypted at runtime.
Selective Encoding
Upload a full project ZIP and choose what to protect. PHP files are encoded, selected non-PHP files encrypted, everything else passes through untouched.
Licensing Included, Not Bolted On
Every plan ships with a complete license management system. No separate product to buy. No add-on fees.
Time-Limited Licenses
Expire after a date, after a number of days, or relative to first activation. Perfect for subscriptions, trials, and annual renewals.
Activation Limits
Sell single-site, multi-site, or unlimited licenses. Track every activation with domain, IP, and device fingerprinting.
Feature Flags
Gate specific features behind license tiers. Sell "Basic" and "Pro" versions from a single codebase and encoded package.
< 50ms Validation
Our API responds globally in under 50 milliseconds. Configurable offline grace periods ensure customers are never locked out.
Custom Expiry Messages
Define exactly what customers see when a license expires, is revoked, or fails validation. Point them to your renewal page.
Instant Revocation
Revoke any license from the dashboard or API. Modify domains, expiration, or activation limits at any time without re-encoding.
Domain & Environment Locking
The most effective way to prevent unauthorized redistribution.
How It Works
When a license is activated for example.com, encoded files execute only on that domain. Attempts to copy files to another server are blocked at the loader level — before any application code runs. Go further with IP binding, server hostname matching, and custom environment variable checks.
Staging Support
Allow staging.example.com alongside production without burning an extra activation. Add development domains to a license's allowlist for free. Every failed lock check is logged to your dashboard with the offending domain, IP, and timestamp.
Anti-Debug & Tamper Protection
Detect and defeat reverse engineering attempts before a single line of your logic executes.
Debugger Detection
Automatically detects Xdebug, phpdbg, and other debugging extensions at load time. Execution halts gracefully and the event is reported to your dashboard.
Cryptographic Integrity
Every encoded file and the loader itself contain cryptographic checksums. If a single byte is altered, execution is refused.
Real-Time Audit Trail
Every failed validation, tamper attempt, and debugger detection is logged with timestamps, IPs, and server details.
Billing & License Automation
Connect your Stripe account and your entire license lifecycle runs itself.
Automatic License Provisioning
Map Stripe products to Obfuscura license types. When a customer subscribes, a license key is generated and delivered automatically. Cancellations revoke, failures suspend, renewals reactivate. Zero manual intervention.
Trial & Upgrade Workflows
Offer free trials with Stripe's trial period and Obfuscura issues a time-limited license automatically. When the trial converts to paid, the license upgrades. Use product variants to manage tiers with different feature flags.
CI/CD Pipeline Integration
Stop encoding files by hand. Ship protected artifacts on every release.
Add a single step to your GitHub Actions, GitLab CI, Bitbucket Pipelines, or Jenkins workflow. Encoding runs on our infrastructure, so your build agents stay lean.
# GitHub Actions example
- name: Encode PHP files
run: |
curl -X POST https://obfuscura.com/api/v1/encode \
-H "Authorization: Bearer ${{ secrets.OBFUSCURA_KEY }}" \
-F "file=@dist/my-plugin.zip" \
-F "options[string_encryption]=true" \
-F "options[control_flow]=true" \
-o dist/my-plugin-encoded.zipUnlimited Encoding
All plans include unlimited encoding runs. Encode as many projects, as many files, as many times as you need. No per-encode fees, no per-server charges.
Modern Developer Dashboard
Everything in one place — no desktop app, no command-line-only workflows.
Multi-Project Management
Organize WordPress plugins, Laravel packages, and standalone apps into separate projects, each with its own API key and settings.
Customer & License Tracking
See every customer, their licenses, activation history, and payment status in one view. Search, filter, and export data.
Actionable Analytics
Track validation volume, active domains, license utilization, and failed attempts over time. Identify trends at a glance.
API-First Architecture
Every dashboard action is an API endpoint. Build any workflow you can imagine.
Encode via API
Upload files, set encoding options, and download protected output — all programmatically. Perfect for CI/CD and custom tooling.
License CRUD
Create, read, update, and delete licenses from your checkout flow, admin panel, or any system that speaks HTTP.
Validation Endpoint
The same endpoint your encoded files call internally is available for your custom integrations across any language.
Framework & CMS Compatibility
Tested and optimized for the frameworks developers actually use.
WordPress
Encode plugin or theme PHP files while keeping readme.txt, stylesheets, and block editor assets readable. Domain-locked licenses prevent unlimited installs.
Laravel
Service providers, controllers, models, and middleware are encoded. Blade templates, config files, routes, and migrations remain unencoded for compatibility.
Symfony
Encode bundles and services while preserving YAML/XML config, Twig templates, and Doctrine mappings.
CodeIgniter, CakePHP, Yii
Full compatibility with all major PHP frameworks. If it runs on PHP 8.0+, Obfuscura protects it.
Standalone PHP
Custom applications, CLI tools, and microservices work identically. The loader has no framework dependency of its own.
Multi-Language Loaders
Validate licenses from JavaScript and Python alongside PHP. If your product spans multiple languages, one Obfuscura account covers the entire stack.