Request Signature

Overview

Requests sent to the server have to be digitally signed for purposes of authentication. The signature uses the Date header and signing algorithm used in License API Authorization.

Signature Structure

The signature in the Authorization header is a Base64-encoded HMAC-hashed value of the signing string, which is composed of:

Constant string

A constant string: licenseSpring

Newline

A newline character \n

Date header

The value of the Date header being sent in the request (see License API Authorization for more details). This is a date string in RFC7231 format

This signing string is then hashed with the customer's key (shared key) using the algorithm provided in the Authorization header (e.g. HMAC-SHA256). The resulting hash is then encoded in Base64.

Make sure the encoded string has no extra whitespace on any line, otherwise the base64 encoded value will be incorrect.

Example of Signature Generation

The following is an example of how to generate a signature. First, let's assume the following values:

Your company's shared key is kw4qSnpSwXzgiv5yxYpZZmFEd9QAeiKTQ6OuyMja
The Date header you set in the request is Tue, 07 Jun 2011 20:51:35 GMT
We'll use the default hashing algorithm, HMAC-SHA256

Now we can generate the signature:

Create the signing string:

licenseSpring
date: Tue, 07 Jun 2011 20:51:35 GMT

Hash the signing string using HMAC-SHA256

Encode the hashed value with Base64: UDysfR6MndUZReo07Y9r+vErn8vSxrnQ5ulit18iJ/Q=

The resulting string is then inserted into the Authorization header as the "signature" parameter:

algorithm="hmac-sha256", headers="date", signature="UDysfR6MndUZReo07Y9r+vErn8vSxrnQ5ulit18iJ/Q=", apikey="_company_api_key_here_"

Sample Code

Generating a signature

const crypto = require('node:crypto'),
    shared_key = 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
    signing_string = 'licenseSpring\ndate: Tue, 07 Jun 2011 20:51:35 GMT';

let signature = crypto.createHmac('sha256', shared_key).update(signing_string).digest('base64');

console.log(signature);
// UDysfR6MndUZReo07Y9r+vErn8vSxrnQ5ulit18iJ/Q=

import base64
import hashlib
import hmac
import time
from wsgiref.handlers import format_date_time

# Can be found in `Account Settings` -> `Settings` -> `Keys`
shared_key = '_your_shared_key_goes_here_'

def sign(secret_key, datestamp):
    msg = 'licenseSpring\ndate: %s' % datestamp
    hashed = hmac.new(bytes(secret_key, 'utf-8'), msg.encode('utf-8'), hashlib.sha256).digest()
    return base64.b64encode(hashed).decode()

# Generate headers
date_header = format_date_time(time.time())

signing_key = sign(shared_key, date_header)

Generating full HTTP request headers with SDK Demo keys

const fetch = require('node-fetch');

const sharedKey = 'XXXXXXXXX-XXXXX-XXXXXXXXXXXXX_XXXXXX_XXXXXX',
      apiKey = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX',
      productCode = "XX",
      baseURL = 'https://api.licensespring.com/api/v4/webhook';

function GenerateHeaders(){
    const signingDate = (new Date()).toUTCString(),
          signingString = `licenseSpring\ndate: ${signingDate}`;

    const signature = crypto.createHmac('sha256', sharedKey).update(signingString).digest('base64');

    return {
            'Content-Type': 'application/json',
            'Date': signingDate,
            'Authorization' : `algorithm="hmac-sha256",headers="date",signature="${signature}",apikey="${apiKey}"`,
        };
}

import base64
import hashlib
import hmac
import time
from wsgiref.handlers import format_date_time

# Can be found in `Account Settings` -> `Settings` -> `Keys`
shared_key = '_your_shared_key_goes_here_'
uuid = '_your_uuid_key_goes_here_'

def sign(secret_key, datestamp):
    msg = 'licenseSpring\ndate: %s' % datestamp
    hashed = hmac.new(bytes(secret_key, 'utf-8'), msg.encode('utf-8'), hashlib.sha256).digest()
    return base64.b64encode(hashed).decode()

# Generating headers
date_header = format_date_time(time.time())

signing_key = sign(shared_key, date_header)

auth_header = ','.join([
    'algorithm="hmac-sha256"',
    'headers="date"',
    'signature="%s"' % signing_key,
    'apiKey="%s"' % uuid
])

headers = {
  'Date': date_header,
  'Authorization': auth_header
}

Full sample code for checking a license key with SDK Demo keys

const fetch = require('node-fetch');

const sharedKey = 'XXXXXXXXX-XXXXX-XXXXXXXXXXXXX_XXXXXX_XXXXXX',
      apiKey = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX',
      productCode = "XX",
      baseURL = 'https://api.licensespring.com/api/v4';

function GenerateHeaders(){
    const signingDate = (new Date()).toUTCString(),
          signingString = `licenseSpring\ndate: ${signingDate}`;

    const signature = crypto.createHmac('sha256', sharedKey).update(signingString).digest('base64');

    return {
            'Content-Type': 'application/json',
            'Date': signingDate,
            'Authorization' : `algorithm="hmac-sha256",headers="date",signature="${signature}",apikey="${apiKey}"`,
        };
}

const checkLicense = async (hwid, licenseKey) => {
    const headers = GenerateHeaders()

    const response = await fetch(baseURL + '/check_license' + `?product=${productCode}&hardware_id=${hwid}&license_key=${licenseKey}`, {
        method: 'GET',
        headers: headers
    })
    console.log("/license response", await response.json());
}

checkLicense('d32q3ed3rq3rxq2r3q23q23q23', '1111-2222-3333-4444');

import base64
import hashlib
import hmac
import time
from wsgiref.handlers import format_date_time

import requests

API_URL = 'https://api.licensespring.com'

# Can be found in `Account Settings` -> `Settings` -> `Keys`
shared_key = '_your_shared_key_goes_here_'
uuid = '_your_uuid_key_goes_here_'

def sign(secret_key, datestamp):
    msg = 'licenseSpring\ndate: %s' % datestamp
    hashed = hmac.new(bytes(secret_key, 'utf-8'), msg.encode('utf-8'), hashlib.sha256).digest()
    return base64.b64encode(hashed).decode()

# Generate headers
date_header = format_date_time(time.time())

signing_key = sign(shared_key, date_header)

auth_header = ','.join([
    'algorithm="hmac-sha256"',
    'headers="date"',
    'signature="%s"' % signing_key,
    'apiKey="%s"' % uuid
])

# Send request
product_short_code = '_your_product_short_code_goes_here_'
hardware_id = '_your_hardware_id_goes_here_'
license_key = '_your_license_key_goes_here_'

response = requests.get(
    url='{}{}'.format(API_URL, '/api/v4/check_license/'),
    params={'product': product_short_code, 'hardware_id': hardware_id, 'license_key': license_key},
    headers={
        'Date': date_header,
        'Authorization': auth_header,
        'Content-Type': 'application/json'
    }
)

print(response.json())

PreviousOAuth Authorization NextResponse Signature

Last updated 4 months ago

Was this helpful?