E-commerce

Digital Products Marketplace

Sell software licenses, downloadable assets, templates, courses, and digital content with secure delivery, global tax compliance via merchant of record, and copy protection.

Independent developers, design studios, content creators, and small software teams selling digital downloads, SaaS, licenses, or courses globally without a dedicated finance/tax team. Lemon Squeezy or Paddle charge 5-8% of GMV (no monthly fee). Cloudflare R2 is ~$0.015/GB/mo with free egress. Supabase free tier covers most early-stage products; Pro is $25/mo. Postmark $15/mo for 50K emails. Total fixed overhead: $50-100/mo until meaningful GMV. 📦 11 tools

Digital product marketplaces — selling fonts, plugins, e-books, software licenses, stock assets, or online courses — share a distinct set of infrastructure needs: instant secure file delivery, per-sale license key generation, global VAT/GST compliance, and abuse prevention (download link sharing, license key sharing). The biggest architectural decision is merchant-of-record vs. direct: Paddle and Lemon Squeezy act as your legal seller in all countries, collecting and remitting VAT/GST on your behalf. This eliminates the need to register for VAT in 30+ countries but costs 5-8% vs. Stripe's 1.4-2.9%. Below $1M ARR the MOR premium almost always wins; above $3M ARR the tradeoff becomes nuanced.

The Stack

Lemon Squeezy

— Merchant of record and checkout optional

Lemon Squeezy acts as the legal seller of record, handling VAT/GST collection and remittance in 100+ countries. Built for developers: clean API, webhook-driven fulfillment, license key generation, and a well-designed checkout.

Alternatives: paddle, fastspring, 2checkout, cleverbridge, digital-river

Paddle

— Merchant of record (enterprise/SaaS option) optional

Paddle covers both digital downloads and SaaS subscriptions as MOR. Stronger at $1M+ ARR with dedicated fraud protection, checkout localisation, and subscription management that Lemon Squeezy lacks.

Gumroad

— Marketplace platform (creator focus) optional

Gumroad combines the storefront, payments, and file delivery in one product. Zero engineering required — best for solo creators selling courses, e-books, and templates who want to launch in hours.

Alternatives: whop, fastspring, 2checkout

Whop

— Marketplace for digital communities and software optional

Whop is a marketplace where buyers discover products — giving sellers distribution on top of the transaction infrastructure. Strong for Discord servers, scripts, bots, and community products.

Stripe

— Direct payment processing (non-MOR path) optional

For teams choosing direct sales (not MOR), Stripe handles checkout, subscriptions, and payouts. Requires separate tax compliance tools (TaxJar/Avalara) and manual VAT registration in high-volume markets.

Alternatives: braintree, paypal

Cloudflare R2

— Secure file storage and delivery

R2 provides S3-compatible object storage with zero egress fees and Cloudflare edge delivery. Signed URL generation with short expiry times (15 min) prevents link sharing and unauthorized downloads.

Alternatives: amazon-s3

Cloudflare Workers

— Download gate and license validation edge function optional

A lightweight Worker validates purchase status, generates signed download URLs, and rate-limits download attempts at edge. Adds <5ms overhead vs. routing through an origin server.

Supabase

— Purchase records, license keys, and user database optional

Supabase (Postgres + Auth + Storage) stores purchase events, generated license keys, download counts, and user profiles. Row-level security policies cleanly enforce per-user file access.

Alternatives: neon, firebase, convex, pocketbase

Clerk

— Authentication and user management optional

Clerk provides pre-built login/signup UI, social OAuth, and a customer portal where buyers access their purchases. Integrates with Supabase via JWT templates.

Alternatives: auth0, stytch, magic-link

Postmark

— Transactional email

Delivery confirmations, license key emails, and download link emails must arrive instantly and reliably. Postmark's deliverability focus and 10-second average delivery make it the right tool for post-purchase transactional email.

Alternatives: sendgrid

PostHog

— Product analytics optional

Tracks funnel conversion from product page → checkout → download, feature flag controlled A/B tests on pricing pages, and session replay for diagnosing checkout drop-off.

Gotchas

⚠️ Merchant of record vs. direct: below $1M ARR use Paddle or Lemon Squeezy — the 5-8% fee is cheaper than EU VAT registration ($500-2000 per country), US sales tax nexus filings, and an accountant who understands digital goods tax rules.
⚠️ License key sharing and piracy: software licenses and digital assets are trivially shared. Implement hardware-locked or machine-count-limited licenses via a license validation API. Gumroad and Lemon Squeezy provide basic license key generation; for robust protection use a dedicated licensing service.
⚠️ Download link abuse: never expose direct S3/R2 URLs. Always generate signed short-lived URLs (15-30 min expiry) server-side after verifying the purchase. Rate-limit by user ID and IP.
⚠️ Chargeback fraud on digital goods: banks often side with buyers on digital goods disputes ('I didn't receive it'). Keep download logs with timestamps and IP addresses as evidence. Paddle/Lemon Squeezy handle chargebacks as MOR.
⚠️ Currency localisation: pricing in local currencies increases conversion by 10-25% in non-USD markets. Paddle's checkout does this automatically; on Stripe you need to maintain price objects per currency and handle FX risk.
⚠️ Update delivery for software products: customers expect to receive future updates they've paid for. Build a version/release management system (or use Lemon Squeezy's built-in update URL feature) before you ship v2.