How to Watermark Your Scripts So Leaks Trace Back to the Buyer

Why a watermark beats a license agreement alone

A license agreement tells a buyer what they're allowed to do. It does nothing to tell you who broke the rules once a copy is loose. When the same script turns up in a free-leaks server, a terms-of-service line is unenforceable if you can't connect that specific copy to a specific person.

A forensic watermark closes that gap. Every copy you sell carries a hidden marker keyed to one buyer. The marker doesn't stop anyone from pasting the file somewhere — nothing in plain text can — but it changes the economics of leaking. A buyer who knows their copy is individually fingerprinted is far less likely to redistribute it, and if they do anyway, you have the one thing every takedown and every blacklist report needs: evidence pointing at a named person.

VerifyUGC's code watermarking is free, built into the dashboard, and available to any signed-in account — there's no paid tier gate on it. You don't embed anything in your product; you watermark the file you're about to hand over.

What the watermark actually does

When you watermark a script, VerifyUGC embeds the mark in three independent layers, so the fingerprint survives even if one layer is stripped:

• A license footer — a single comment line in the file's native comment style (-- for Luau, # for Verse and Python, // for JavaScript/TypeScript/C#, and so on) noting the copy is licensed via verifyugc.dev.
• A woven license marker — a short [vugc:lic_…] token tucked inside the comment body, tied to the license you issued.
• An invisible payload — a zero-width Unicode sequence (the same family of characters used for invisible formatting) carrying the license reference where the eye can't see it.

Extraction succeeds if any one of those layers is intact. Someone who deletes the obvious footer comment still leaves the woven marker and the invisible payload behind unless they go looking for both. The mark resolves to a license, and a license is tied to a single buyer handle — so an extracted mark answers exactly one question: which copy is this, and who did I give it to?

Which languages are supported

The watermarker is language-aware: it inserts the visible layers using the correct comment syntax for the file type, so the marked file still compiles and runs. Supported source types include the languages most UGC creators ship:

• Roblox — Luau / Lua (.luau, .lua)
• Fortnite / UEFN — Verse (.verse)
• Web & tooling — JavaScript, TypeScript, JSX/TSX
• General — C#, C, C++, Java, Go, Rust, Swift, Kotlin, Python, Ruby, PHP, SQL, shell, and more
• Markup & styles — HTML, XML, SVG, CSS/SCSS (block-comment styles)

For file types with no comment syntax (such as raw JSON), the watermarker falls back to the invisible payload only, so the file stays valid.

Step by step: watermark a script before you sell it

The whole flow takes under a minute per buyer.

1. Create a license for the buyer. In the dashboard, issue a license with the product name and the buyer's handle (their VerifyUGC handle, Discord tag, or whatever identifier you use). This is what every mark under that license will trace back to.
2. Watermark the file under that license. Paste or upload the script and watermark it. You can do a single file or a batch (up to 25 source files / 4 MB at a time) when a sale includes several scripts.
3. Deliver the watermarked copy — not your master. Send the buyer the marked file. Keep your clean original. If you sell the same product to ten buyers, you issue ten licenses and watermark ten copies, each fingerprinted to one person.
4. Keep your originals dated. Version control (git) or dated exports establish your authorship timeline independently of the watermark — useful evidence if you ever need to prove the work is yours.

Every license keeps a list of the watermarks issued under it, so you always have a record of who got what.

How to trace a leak

Tracing is a manual, on-demand check — there is no background crawler watching the internet for you. When you find a copy you suspect is leaked:

1. Get the file. Download or copy the leaked script text.
2. Run it through the scanner. Upload it to the watermark scanner in the dashboard.
3. Read the attribution. If a mark survives, the scan resolves it to the license and the buyer handle it was issued to. Only you (the license owner) or VerifyUGC staff can see the buyer behind a mark — attribution is access-gated, not public.

That's the whole loop: suspect a leak, upload it, get a name. It's forensic evidence on demand, not a monitoring service — you bring the suspected copy, and VerifyUGC tells you whose it is.

What it survives — and what it doesn't

Being honest about the limits is what makes a watermark useful instead of a false sense of security.

It reliably survives: copy-paste, re-saving, downloading and re-uploading, and converting between file formats. Because the mark lives in three layers, casually deleting the footer comment doesn't remove it.

It can be defeated by deliberate laundering: someone who fully retypes the script from scratch, strips every comment, and normalizes all whitespace can remove the marks. The watermark raises the cost and effort of laundering a leak and makes casual redistribution traceable — it does not make code uncopyable. Anyone who tells you a text watermark is unbreakable is overselling it.

The practical effect: the lazy leaker — the one who pastes your file as-is — gets caught, and the determined one has to do enough work that many won't bother. Combined with a per-buyer license, that's usually enough to change behavior.

After you identify the leaker

Once a scan names a buyer, you have a few escalation paths:

• Revoke the license. Mark that buyer's license revoked so it no longer validates — without deleting the record you'll want as evidence.
• Report them to the blacklist. Add the leaker to VerifyUGC's blacklist with your evidence. The flag follows them across every participating community, so the next creator or server they approach already knows.
• File a takedown. A leaked script hosted where it shouldn't be is a copyright matter. File a DMCA / IP-infringement notice with the platform hosting it (Roblox, Discord, GitHub, a file host) through that platform's own takedown process — your watermark attribution is the evidence that the copy is yours and who leaked it. A DMCA notice is a sworn legal statement, so file it under your own name and keep it factual.

Watermark first, sell second. The fingerprint only helps if it's already in the copy before it leaves your hands — you can't trace a file you handed out clean.

Does watermarking stop people from copying my script?

No, and no text watermark can. It makes leaked copies traceable back to the buyer they were issued to, which deters redistribution and gives you evidence for takedowns and blacklist reports. It does not prevent copying or make code uncopyable.

Will the watermark break my code?

No. The visible layers are inserted using the correct comment syntax for the file type, so the marked file still compiles and runs exactly as before. The invisible layer lives in zero-width characters that don't affect execution.

Can the buyer just delete the watermark?

They can delete the obvious footer comment, but the mark is stored in three independent layers, so deleting one usually leaves the others intact. Fully removing it requires deliberately retyping the code and normalizing all comments and whitespace — far more effort than a casual leak.

How do I actually find out who leaked it?

Upload the suspected copy to the watermark scanner in the dashboard. If a mark survives, it resolves to the license and buyer handle the copy was issued to. There's no automatic web scanning — you bring the file you suspect, and the scan names the buyer.