Why this matters
License keys are finite. A one-time activation code or unlock token can only be used once — and once it has been emailed to a buyer, it has effectively left your pool whether the buyer paid with a stolen card or not. Without this rule, every fraudulent order would consume a real key, and merchants selling small-batch software, course access, or activation codes would watch their inventory drain on chargeback fraud. Alva Digital Downloads treats key assignment as a reservation made after the order is trusted, not at the moment of payment.
How it works in practice
The flow runs the same way every time when fraud checks are enabled on the shop:
- Order paid — the Shopify
orders/paidwebhook lands. Alva creates the Purchase record and queues the order in the fraud queue. - Keys reserved? No. Every linked key stays at status
AVAILABLEin the pool. NoPurchaseLicenseKeyrow exists yet. - You approve — Alva picks the oldest available keys from the linked tag, marks them
ASSIGNED, attaches them to the purchase, and emails the customer. - Pool empty at approval? Alva creates a
PendingLicenseKeyAssignmentrecord. The next CSV upload fills pending orders in FIFO order and emails customers automatically. - You reject — no key is ever assigned. The pool is unchanged. The order receives no download email.
What you'll see in the admin
The order detail page shows the fraud-pending status in the License keys section. The license key status API returns pending_fraud_check with the message "Order is pending verification" while the order sits in the queue. The home dashboard surfaces a Pending fraud approvals count so held orders don't get forgotten.
Alva admin order detail page for an order in the fraud queue. Show the License keys section displaying the "pending verification" status, with the Approve and Reject buttons visible above. No real customer data visible.
What customers see
The customer's Shopify order page shows the order as paid — Alva does not block Shopify's checkout. The customer does not receive a download email and no key appears on the order status page or customer account page. On approval, Alva sends the delivery email with the assigned key. On rejection, no email is sent and the merchant refunds the order through Shopify.
Limitations
POS orders skip the fraud queue entirely. A digital product sold at a Shopify POS terminal assigns its license key and sends the delivery email immediately at the point of sale. The reasoning: a card-present sale is operationally different (the buyer is physically present, chip-and-PIN has already run), and forcing approval on every in-store purchase would break the counter experience. If your shop sells license-keyed products at POS and online, expect POS sales to consume keys instantly while online sales wait for approval.
FAQ
Can I assign a key to an order before fraud approval?
Not while the order is in the fraud queue. Approve the order first, then Alva assigns and emails the key automatically. To skip the wait entirely, disable fraud checks under Settings — every paid order will then receive its key immediately.
What if I run out of keys at the moment of approval?
Alva creates a PendingLicenseKeyAssignment record for the purchase. As soon as you upload more keys to that tag, the oldest pending order claims them first (FIFO) and the customer is emailed automatically.
Does this apply to manually assigned keys too?
Yes. Any key flowing through Alva — auto-assigned, auto-generated, or manually attached — is held until fraud approval clears. The exception is POS orders, which skip the queue entirely.
See also
Was this helpful?
Last updated 2026-05-06