Documentation

Every STL file is encrypted with a unique AES-256-GCM key derived via HKDF-SHA256. The encryption produces a .stlx file containing:

• Magic bytes: STLSHLD\0
• Version: UInt16 LE
• Header length: UInt32 LE
• JSON header: product ID, security mode, creation timestamp
• Encrypted payload: AES-256-GCM ciphertext
• Authentication tag: 16 bytes (GCM auth tag for tamper detection)

Keys are wrapped with a master key (AES-256-GCM) before storage. The master key is held in an environment variable and never written to disk or logs.

Every unlocked file is embedded with 8 redundant forensic watermarks — 4 on the mesh, 4 on G-code.

Watermarks are keyed with HMAC-SHA256 using the buyer's email. They survive format conversion, re-meshing, and re-export — making leaked files traceable to the exact purchaser.

The designer dashboard is your command centre. After signing in, you will see:

• Overview — product count, active tokens, activations this month, and watchdog alerts at a glance.
• Products — upload, encrypt, and manage your protected files. Each product shows its token count, activation history, and download link.
• Tokens — generate SHLD-xxxx license tokens for buyers. View status (active, exhausted, revoked) and activation count per token.
• Activations — see every activation event: which token, which machine fingerprint, which IP, when.
• Watchdog — automated piracy scanner results across Etsy, Thingiverse, Cults3D, Printables, MyMiniFactory, CGTrader, and Thangs.
• Reports — revenue reports showing token issuance, activations, and piracy incidents per product (Pro plan).
• Trace Leak — upload a suspect file to extract forensic watermarks and identify the buyer who leaked it.
• Settings — profile, Etsy integration, notification preferences, API keys.

The STL Shield desktop app lets buyers unlock .stlx files offline and send prints directly to their slicer.

Go to Products → Upload in your dashboard. Select an STL, 3MF, OBJ, SVG, or DXF file (up to 500 MB).

Choose a security mode:

• Standard — the buyer receives the decrypted mesh after token validation. They can slice it in any slicer. Best for most designers.
• Maximum — the raw mesh never leaves memory. STL Shield slices it internally using CuraEngine and delivers only the G-code. The buyer cannot extract the original mesh geometry. Best for high-value designs.

After encryption, the .stlx file is stored on Cloudflare R2. Each product gets a unique AES-256-GCM encryption key, wrapped with your account's master key.

License tokens are how buyers access protected files. Each token is a SHLD-xxxx-xxxx-xxxx-xxxx string tied to a specific product, buyer email, and activation limit.

Generating tokens: Go to Tokens → Generate. Select the product, enter the buyer's email, and set max activations (default: 3). The token is displayed once — send it to the buyer with their purchase.

Token lifecycle:

• Active — token is valid and has remaining activations
• Exhausted — all activations used (buyer can request a transfer)
• Revoked — manually disabled by the designer (e.g., refund or piracy detected)

Security: Tokens are bcrypt-hashed (cost factor 12) before storage. The plaintext is never stored. Validation uses timing-safe comparison to prevent side-channel attacks.

As a buyer, you have two ways to unlock .stlx files:

Pro and Business plans support bulk token generation via CSV import. Go to Tokens → Bulk Generate.

Upload a CSV with columns: email, maxActivations (optional, defaults to 3). Select the product, and tokens are generated for each row. You can then bulk-email the tokens directly from the dashboard.

Limits: up to 100 tokens per batch. Business plan: unlimited batches.

Watchdog automatically scans 7 platforms for potential piracy of your designs:

Detection uses three methods: image matching (perceptual hash comparison), text matching (keyword overlap), and geometry matching (mesh fingerprint comparison).

Matches appear in your Watchdog dashboard with a confidence score. From there you can dismiss false positives, confirm matches, or generate DMCA takedown notices.

For confirmed piracy matches, STL Shield generates platform-specific DMCA takedown notices pre-filled with your product details, the infringing listing URL, and your identity as the rights holder.

Templates are available for: Etsy, Thingiverse, Cults3D, MyMiniFactory, Printables, CGTrader, and Thangs. Each template follows the platform's specific takedown submission format.

You review and submit the notice yourself — STL Shield does not submit on your behalf (this requires your legal attestation as the copyright holder).

For legal proceedings, STL Shield generates comprehensive forensic evidence reports containing:

• Original design details (product ID, SHA-256 hash, upload date)
• Watermark extraction results (buyer identified, confidence score, extraction methods)
• Buyer purchase records (token issued date, email, activation history)
• Activation log (machine fingerprints, IP addresses, timestamps)
• Chain of custody timeline (upload → purchase → activation → piracy detection → takedown)
• Legal declaration (forensic methodology, data integrity statement)

Reports are generated as HTML with print-to-PDF support, suitable for submission to courts, platform legal teams, and law enforcement.

If a buyer exhausts their activations (e.g., new computer, new printer), they can request a license transfer through the buyer portal.

The designer receives the transfer request in their dashboard and can approve or reject it. Approving resets the activation count to zero, allowing the buyer to activate on their new device.

The .stlx format is an open, encrypted container for design files. Binary layout:

0x00  magic:          "STLSHLD\0"  [8 bytes]
0x08  version:        u16 LE       [2 bytes]
0x0A  header_len:     u32 LE       [4 bytes]
0x0E  header:         JSON         [variable]
      ├─ productId:   uuid
      ├─ version:     number
      ├─ creatorId:   uuid
      ├─ algo:        "AES-256-GCM"
      ├─ ivBase64:    base64 string
      └─ securityMode: "standard" | "maximum"
....  payload:        AES-256-GCM  [variable]
....  auth_tag:       16 bytes     [GCM authentication tag]

The specification is fully published and open. See the open letter for the industry collaboration proposal.

STL Shield provides a REST API for programmatic access. Authenticate with an API key in the x-api-key header. Generate keys in Settings → API Keys (Business plan).

All endpoints return JSON. Rate limits apply. See Token Management for authentication details.

Connect your Etsy shop in Settings → Etsy. Once connected, STL Shield automatically generates and delivers license tokens when a buyer purchases a mapped product on Etsy.

Setup: map each Etsy listing to an STL Shield product. When an order comes through via Etsy’s webhook, a token is generated for the buyer’s email and sent automatically via email.

Buyers can send unlocked files directly to their OctoPrint server from the buyer portal. Enter the OctoPrint URL and API key in the portal, and files are uploaded to the print queue with one click.