Response Signature

overview response objects from license api endpoints for activating and checking licenses contain a license signature value, which is an hmac sha256 signature used to verify the authenticity of the response this mechanism ensures protection against counterfeit licensing servers and man in the middle attacks license signature details when a webhook response is received, it includes a license signature this signature is a secure hash generated using a server side private key and is based on a specific format of the signing string signing string format the string to be signed is constructed as follows lowercase(hardware id#user email or license key#validity period) example activation request and response { "hardware id" "a53f 0cbc 15fc 7e81 bf35 a720 a575 7c0c 8815 0463 db78 e674 d140 cf15 85bb ec01", "license key" "fuh3 4e7a lzjl 7jtp", "product" "tp" } { "license signature" "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739ac ", "validity period" "2019 06 15t00 00 00 000z", "license type" "subscription", } constructed signing string based on the above request and response a53f 0cbc 15fc 7e81 bf35 a720 a575 7c0c 8815 0463 db78 e674 d140 cf15 85bb ec01#fuh3 4e7a lzjl 7jtp#2019 06 15t00 00 00 000z verifying the license signature you can use the server's public key to verify the license signature by validating the signature, you ensure the response originates from licensespring's trusted servers download the server public key from the link below to implement signature verification using the example provided https //archbee doc uploads s3 amazonaws com/ijdhyjblo9loxordnwjtx/8 om1oqw9qe45obpr7mt prod pub code sample import crypto from 'node\ crypto' import dayjs from 'dayjs' import utc from 'dayjs/plugin/utc js' dayjs extend(utc) const response = { // truncated license response "license key" "163u aklb 5bnj vyof 4567", "hardware id" "6993f191bca2346c4015be4ff158805da70f10cd7d82aedd11dd38c2b47025a2", "validity period" null, "license signature" "vakfjwgvqdl00ykjys/1ocz 3htzwft8tq=", }; const signingstring = `${ licenseresponse hardware id }#${ licenseresponse username ? licenseresponse username split('|')\[0] licenseresponse license key }#${ licenseresponse validity period ? dayjs(licenseresponse validity period) toisostring() '' }` tolowercase(); const verifier = crypto createverify('rsa sha256'); verifier update(signingstring); const result = verifier verify(publickey, licenseresponse license signature, 'base64'); console log(result); // if signature is valid, this will be "true"