Chrome Extension Kit

ARTICLE

How a Chrome Extension Should Validate a Paid License

Chrome extension license validation request and entitlement response.

License validation is the bridge between a purchase and the premium behavior inside the extension. It needs to handle activation, refresh, expired access, network failure, and support recovery.

A practical flow looks like this:

  1. The customer purchases through Polar.sh.
  2. The customer receives a license key or entitlement claim path.
  3. The extension options page asks for the license key.
  4. The extension sends the key to a Cloudflare Worker validation API.
  5. The Worker checks Polar.sh or the entitlement database.
  6. The extension caches the result in chrome.storage.
  7. Premium features read the cached result and refresh it when needed.

The extension should not call Polar’s management API directly. Distributed extension code cannot protect secret tokens.

Design the validation response for UI and product logic. Fields such as active, planName, expiresAt, features, checkedAt, and reason are usually enough. Avoid returning internal IDs or unnecessary personal data.

Network failure needs a policy. If validation succeeded recently, you may allow a short grace period. If validation has not succeeded for a long time, the extension can disable premium actions, show recovery instructions, or ask the user to retry.

If you enforce device limits, add activation records. A first validation creates an activation. Later checks include that activation id. Users also need a way to deactivate old devices.

Do not rely only on hiding UI. If premium features call your server or consume costly resources, the server must check entitlement too.

References