Response Signature

Overview

Response objects from License API endpoints for activating and checking licenses contain a license_signature value, which is an HMAC-SHA256 signature used to verify the authenticity of the response. This mechanism ensures protection against counterfeit licensing servers and man-in-the-middle attacks.

License Signature Details

When a webhook response is received, it includes a license_signature. This signature is a secure hash generated using a server-side private key and is based on a specific format of the signing string.

Signing String Format

The string to be signed is constructed as follows:

LOWERCASE(HARDWARE_ID#USER_EMAIL_OR_LICENSE_KEY#VALIDITY_PERIOD)

Example Activation Request and Response

Request:

{
  "hardware_id": "A53F-0CBC-15FC-7E81-BF35-A720-A575-7C0C-8815-0463-DB78-E674-D140-CF15-85BB-EC01",
  "license_key": "FUH3-4E7A-LZJL-7JTP",
  "product": "TP"
}

Response:

{
  "license_signature": "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739ac...",
  "validity_period": "2019-06-15T00:00:00.000Z",
  "license_type": "subscription",
  ...
}

Constructed Signing String

Based on the above request and response:

a53f-0cbc-15fc-7e81-bf35-a720-a575-7c0c-8815-0463-db78-e674-d140-cf15-85bb-ec01#fuh3-4e7a-lzjl-7jtp#2019-06-15t00:00:00.000z

Verifying the License Signature

You can use the server's public key to verify the license_signature. By validating the signature, you ensure the response originates from LicenseSpring's trusted servers.

Download the server public key from the link below to implement signature verification using the example provided:

Download prod.pub

Code Sample

verify-signature.js

import crypto from 'node:crypto'
import dayjs from 'dayjs'
import utc from 'dayjs/plugin/utc.js'

dayjs.extend(utc)

const response = {
  // ... truncated license response ...
  "license_key": "163U-AKLB-5BNJ-VYOF-4567",
  "hardware_id": "6993f191bca2346c4015be4ff158805da70f10cd7d82aedd11dd38c2b47025a2",
  "validity_period": null,
  "license_signature": "VAkfjWGvQDl00YkjYS/1oCz........3HtzwFt8tQ=",
};

const signingString = `${
  licenseResponse.hardware_id
}#${
  licenseResponse.username
    ? licenseResponse.username.split('|')[0]
    : licenseResponse.license_key
}#${
  licenseResponse.validity_period ? dayjs(licenseResponse.validity_period).toISOString() : ''
}`.toLowerCase();

const verifier = crypto.createVerify('RSA-SHA256');
verifier.update(signingString);
const result = verifier.verify(publicKey, licenseResponse.license_signature, 'base64');

console.log(result); // if signature is valid, this will be "true"

PreviousRequest Signature NextResponse Signature v2

Last updated 19 days ago

Was this helpful?

Good night

hashtagOverview

hashtagLicense Signature Details

hashtagSigning String Format

hashtagExample Activation Request and Response

hashtagConstructed Signing String

hashtagVerifying the License Signature

hashtagCode Sample