NFTs & Rights: Metadata, Royalties, Licenses

Beginner
NFTs
• ~8 min read
• Updated: 08/08/2025

When you buy an NFT, you’re acquiring more than a picture but often less than you think. This comprehensive guide explains the technical, legal, and economic layers of NFT ownership where your media actually lives, what rights (if any) transfer with the token, and how royalties really work. Nothing here is legal advice; it’s a practical map so you can ask the right questions and avoid the most common pitfalls.

1) Where your NFT’s media lives

An NFT (ERC-721 or ERC-1155 on EVM chains) is a database entry on-chain. The token itself contains a contract address, a tokenId, and usually a tokenURI a pointer to a JSON metadata file. The JSON then points to the media (image/video/3D) via fields like image or animation_url.

The token is not the image. The token proves scarcity and ownership of the entry, not necessarily the bytes of the art unless those bytes are embedded on-chain.
Pointers matter. If tokenURI or image points to a centralized server, the issuer can change or remove the file (“link rot” risk). Content-addressed URIs (e.g., ipfs://<CID>) are far harder to tamper with.
Reveals & provenance. Many projects ship with a placeholder image, then “reveal” later by switching the base URI. Good practice is publishing a provenance hash (a Merkle root or concatenated hash of all images) ahead of time so traits can’t be reshuffled unfairly.

Sample ERC-721 metadata (typical fields)

{
  "name": "Example #123",
  "description": "An example collectible.",
  "image": "ipfs://bafybeigdyr.../123.png",
  "animation_url": "ipfs://bafybeigdyr.../123.mp4",
  "external_url": "https://example.com/nft/123",
  "attributes": [
    {"trait_type": "Background", "value": "Sunset"},
    {"trait_type": "Rarity", "value": "Epic"}
  ],
  "license": "CC0",
  "content_hash": "0x6a…",              // optional integrity field
  "metadata_original": "ipfs://bafy..."   // optional, points to frozen JSON
}

2) On-chain vs. Off-chain Storage

On-chain media. The art (often SVG or compressed bytes) is stored inside the contract or generated deterministically from on-chain data. Pros: strong permanence, trust-minimized. Cons: higher cost to deploy; large files impractical.
IPFS. Files are addressed by their content hash (CID). If the bytes change, the CID changes—so tampering is obvious. However, availability depends on pinning: ensure the creator, community, or a pinning service keeps the content online.
Arweave. “Pay once, store forever” economics: content is replicated across the network, designed for long-term persistence. URIs often begin with ar://. Great for permanence, but still verify that the referenced hash matches the intended file.
Centralized CDN. Fast, cheap, flexible updates… and a single point of failure under the issuer’s control. If a project promises “permanent art” but hosts on a web server, that’s a red flag unless there’s a clear plan to freeze later.

Tip (integrity): Prefer ipfs:// or ar:// in both the metadata and the media fields. If the JSON uses an HTTP gateway (e.g., https://ipfs.io/ipfs/<CID>), make sure the underlying CID is visible in the URL so you can cross-check.

3) What “ownership” means legally

Owning an NFT does not automatically grant you copyright in the underlying art. By default, the creator (or current copyright holder) retains exclusive rights to reproduce, distribute, and create derivatives unless they license those rights to you. The token gives you:

Provenance & scarcity recorded on-chain.
Transferability of the token itself (sell/gift/burn).
Utility & access that the project gates via token ownership (events, allowlists, game assets, governance).

Everything else is governed by license terms (on a website, in a repo, embedded in metadata, or mirrored on IPFS/Arweave). Look for: scope (personal vs commercial), territory, duration, moral rights, revocation conditions, brand/trademark use, and whether rights transfer when you sell the NFT.

Common misunderstandings:

“I own the token, so I can print T-shirts.” → Not unless the license says so.
“CC0 means I can use the brand name too.” → CC0 covers copyright in the work, not necessarily trademarks/logos.
“The license is on the website; that’s enough.” → Better if the license is content-addressed (e.g., IPFS) and referenced in metadata so it can’t silently change.

4) Royalties: promises vs. enforceability

“Royalties” (e.g., 2.5%–10%) are usually declared in metadata or via standards like ERC-2981 (royaltyInfo()). But base ERC-721/1155 do not enforce royalties at the protocol level. Marketplaces choose whether to pay them. As fee competition intensified, many marketplaces made royalties optional or ignored them entirely, sparking “royalty wars.”

Ethereum: Royalties are social/market-level. Standards signal intent; payment depends on marketplace policy.
Other ecosystems: Some chains and NFT programs expose creator-royalty fields, but actual runtime enforcement often still requires marketplace cooperation or specialized token programs.
Enforcement hacks: Some creators gate utility (airdrops, allowlists, metadata upgrades) behind “compliant” transfers, or use registry/filters to block zero-royalty markets. These add friction and can reduce liquidity.

Reality check: Treat royalties as a business arrangement, not a cryptographic guarantee—unless the project explicitly uses a token standard that technically forces them (with the trade-offs that entails).

5) Common NFT License Models

Personal use only. You may display, use as a profile pic, and resell the token; no commercial exploitation (no merch, ads, apps). Often prohibits modifying the art or using it in hateful/illegal contexts.
Commercial use (caps or rev-share). Allows monetization (e.g., merch, media, games). May include revenue caps (e.g., up to $100k/year without extra license) or require creator attribution.
CC0 (Creative Commons Zero). The creator waives copyright to the extent possible (public domain equivalent). Anyone, including non-holders, can use and remix. Great for meme-ability and network effects; weaker for exclusive monetization strategies.
Custom terms for games/metaverse. May split rights: you can monetize the character you own but not the project’s overall brand or logo; or permit derivatives but ban pornographic or hateful content.

License red flags: vague scope; “we can change terms anytime” without versioning; no mention of transfer on resale; license hosted only on a mutable web page; brand/trademark terms unclear; takedown rights that exceed what’s necessary to protect IP.

6) Buyer Due Diligence Checklist

Verify the contract. Use a block explorer to confirm the correct contract address and that the collection size, symbol, and creator wallet align with official announcements.
Open tokenURI. For a random tokenId, pull tokenURI, then fetch the JSON. Check that image/animation_url use ipfs:// or ar:// (or that the project plans to freeze later).
Look for “frozen” metadata. Some UIs display a “frozen” status or a content hash. Frozen ≠ on-chain, but it signals an intent not to change files after reveal.
Read the license end-to-end. Is it personal or commercial? Are there revenue caps? Does the license transfer on resale? Is the text versioned and content-addressed?
Royalties policy. What % is requested? Do target marketplaces honor it? If royalties fund ongoing work, what’s Plan B if they’re bypassed?
Creator history. Past projects, delivery track record, and transparency around treasury use. If access/utility is promised, how is it enforced (token-gated contracts, allowlists)?
Trademark vs artwork. Does the project’s brand name or logo have separate restrictions? Are you allowed to use the project’s name on merch, or only the art?

Creator corner (if you’re minting):

Publish license text on IPFS/Arweave and include its URI in each token’s metadata ("license": "ipfs://...").
Adopt ERC-2981 for royalty signaling, but be transparent that enforcement is marketplace-dependent.
Document when metadata will be frozen and how provenance is computed. If using reveals, publish the provenance hash before mint.
Separate brand/trademark terms from art copyright so holders know what they can safely do.

Further resources

NFT License templates for creators.
IPFS Docs how to store NFT metadata permanently.
Creative Commons license types and implications.
Mirror.xyz decentralized publishing for creators.

← On-chain Privacy
L2 Rollups: Optimistic vs ZK, Data Availability →