Private storage

Paid files are stored in a private object bucket. They are not copied into public site directories, indexed routes, or the static build.

Authenticated access

My Library requires a short-lived email sign-in link and a secure session cookie. Access is matched to the purchasing email and active entitlements.

Expiring links

Each download action creates a short-lived, single-use delivery link. The link is a bearer credential and should not be forwarded.

Expired or failed links

Return to My Library to create a new link. If an authorized download repeatedly fails, use the resend action or contact support.

Security and logs

Order, entitlement, sign-in, and download events are logged for access control, support, fraud prevention, and refund review. Logs do not make paid assets public.