License API
License API Authorization
Signature Verification
3min
Webhooks for activating/checking license also return a license_signature, which is a HMAC-SHA256 signature of each license, allowing end-software to verify that the response really came from LicenseSpring servers, serving as a protection against fake licensing servers and/or man-in-the-middle attacks.
String which is signed using the server certificate is formed like follows
LOWERCASE(HARDWARE_ID#USER_EMAIL_OR_LICENSE_KEY#VALIDITY_PERIOD)
For example, for activation request:
{
hardware_id : 'A53F-0CBC-15FC-7E81-BF35-A720-A575-7C0C-8815-0463-DB78-E674-D140-CF15-85BB-EC01',
license_key : 'FUH3-4E7A-LZJL-7JTP',
product: 'TP'
}
you get a response like (shortened):
{
"license_signature": "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739aceca4310f78489cdfd447d7c7b044dfd0b95dc41691bc6ab93aa5e7aa3bc59dd8eb425aa0b04095cef3e0265fbe8a3ab053724b1f3d03b77b8099063b1a4f1d5eb6d6e25d6f65d4b5eab14069db95f95f905074e261b02739f746f33aa7334e4491d632bf9252f41fb239ad4780a8fe0405bba7de11ecc7c7b8542c2fd90afe9e80d939d0fefd6da217c1c866e00a9dfdba5830ccd1cb04be0b88a7ec698a4c4d139a26c5ea99d91b8b70bdc1189d55dd1dc6e7ad190aa483f7b33486089d12368c14bc68d4909bff525efb1608521cdb70539ad0de07b7ec33c9e0860551fe5c0c0013664ab5ad9f3891c82a58947204e746485b692b0dcc3fea706cea4bc147774708801a1fc00d0c207c6225f4012b6cd3d1012d25f5174ee02757ce38f537b36b8ec2a53923d810deefd9a3f0201d57ed656dc13a885a987378b7260a5ae7c60140cad27a88635970b6468f41d47acdd15f1655e26e836395ab5ee66e3cf86b2e01a066ac7d1b89f0d3f768ad6e48d8fb44c72555350eb6ecdb29e203c43259b6a4964ad1e2d882c4a050fc36617411556920a886a48c488410c383a4169c1729f70e2f0ee42254efcd91d22d482e153545316a9f93da0147332df69409fbedfa0ae24671a0f33d8256d96927b3371fa5624b8e5e267d3689e41f510e04b4",
"validity_period": "2019-06-15T00:00:00.000Z",
"license_type": "subscription",
...
}
Signing string looks like this
a53f-0cbc-15fc-7e81-bf35-a720-a575-7c0c-8815-0463-db78-e674-d140-cf15-85bb-ec01#fuh3-4e7a-lzjl-7jtp#2019-06-15t00:00:00.000z
You can download the server public key below and use it to verify license signature based on example above
Updated 05 Sep 2023
Did this page help you?