How to Set Up Tebex Escrow for Your FiveM Scripts

Asset Escrow is the encryption layer Cfx.re built with Tebex so script authors can sell a resource that runs on a buyer's server without exposing the source code. It works by encrypting the files you select and locking the resource as an asset that authenticates against a server's license key. Setting it up is mostly about preparing your fxmanifest correctly and choosing which files to protect versus leave open. This guide is the practical, click-by-click version.

What escrow actually does (and what it doesn't)

When you escrow a resource, the files you select are encrypted so they can no longer be viewed or edited. The asset is then authenticated through the server's license key from the Cfx.re Keymaster. When a buyer starts the resource, FiveM checks that the account owning the license key the server is using is the same account that owns the asset grant. No matching grant, no run.

Escrow protects your code from casual copying and resale, but it is not a guarantee against every leak, and it does not encrypt everything. In its current form it supports Lua 5.4, plus YFT, YDD, and YDR stream files. JavaScript and C# protection has historically lagged Lua, so plan your protection strategy around what is actually encryptable.

Prepare your fxmanifest.lua

Escrow has a hard requirement: your fxmanifest.lua must declare lua54 'yes'. If it doesn't, the asset will fail to encrypt or run correctly. While you are in the manifest, make sure your resource is otherwise clean: correct fx_version, game 'gta5', and properly listed client/server/shared scripts. Escrow encrypts what you ship, so a messy manifest produces a messy asset.

Next, decide what stays readable. You almost always want config and locale files left open so buyers can configure the script without touching protected code. You control this with the escrow_ignore directive, which accepts individual files, folder wildcards, and recursive globs.

• lua54 'yes' is mandatory
• 'config.lua' to leave a single file open
• 'stream/*.yft' to ignore all YFT files in a folder
• 'locales/**/*.lua' to ignore files in any subfolder recursively

Create the asset in the Cfx.re Portal

Zip your resource folder (the folder containing fxmanifest.lua, not its parent), then go to the Cfx.re Portal and create a new asset, uploading the zip. The Portal encrypts the files according to your manifest and escrow_ignore rules and stores it as a Created Asset on your account. The maximum size per escrowed asset is 1GB, which is generous for code but worth watching if you bundle large stream assets.

When you need to ship an update later, do not create a new asset. Go to Created Assets, select the existing asset, choose Re-Upload, and upload the new zip. This preserves the asset identity so everyone who already bought it receives the update automatically through their existing grant.

Connect the asset to a Tebex package

Escrowed assets can only be distributed through a Tebex package, by design. In your Tebex control panel, create or edit a package, choose FiveM Asset as the deliverable, and select your created asset from the list. From that point, every purchase triggers Tebex to write a grant to the buyer's Cfx.re account via the Keymaster API, and delivery is fully automatic.

One important limitation to plan around: created assets cannot be transferred to another Cfx.re account. Whatever account creates the asset is the account that must own and maintain it, so use the account you actually intend to run your business from. PlayDeck walks you through this exact setup as part of its AI build-to-sell workflow, so the asset, manifest, and package are configured correctly the first time instead of after a failed launch.