Response Signature

Overview

Response objects from License API endpoints for activating and checking licenses contain a license_signature value, which is an HMAC-SHA256 signature used to verify the authenticity of the response. This mechanism ensures protection against counterfeit licensing servers and man-in-the-middle attacks.

License Signature Details

When a webhook response is received, it includes a license_signature. This signature is a secure hash generated using a server-side private key and is based on a specific format of the signing string.

Signing String Format

The string to be signed is constructed as follows:

LOWERCASE(HARDWARE_ID#USER_EMAIL_OR_LICENSE_KEY#VALIDITY_PERIOD)

Example Activation Request and Response

Request:

{
  "hardware_id": "A53F-0CBC-15FC-7E81-BF35-A720-A575-7C0C-8815-0463-DB78-E674-D140-CF15-85BB-EC01",
  "license_key": "FUH3-4E7A-LZJL-7JTP",
  "product": "TP"
}

Response:

{
  "license_signature": "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739ac...",
  "validity_period": "2019-06-15T00:00:00.000Z",
  "license_type": "subscription",
  ...
}

Constructed Signing String

Based on the above request and response:

Verifying the License Signature

You can use the server's public key to verify the license_signature. By validating the signature, you ensure the response originates from LicenseSpring's trusted servers.

Download the server public key from the link below to implement signature verification using the example provided:

Download prod.pubarrow-up-right

Code Sample

Last updated

Was this helpful?