Response Signature

overview response objects from license api endpoints for activating and checking licenses contain a license signature value, which is an hmac sha256 signature used to verify the authenticity of the response this mechanism ensures protection against counterfeit licensing servers and man in the middle attacks license signature details when a webhook response is received, it includes a license signature this signature is a secure hash generated using a server side private key and is based on a specific format of the signing string signing string format the string to be signed is constructed as follows example activation request and response constructed signing string based on the above request and response verifying the license signature you can use the server's public key to verify the license signature by validating the signature, you ensure the response originates from licensespring's trusted servers download the server public key from the link below to implement signature verification using the example provided code sample import crypto from 'node\ crypto' import dayjs from 'dayjs' import utc from 'dayjs/plugin/utc js' dayjs extend(utc) const response = { // truncated license response "license key" "163u aklb 5bnj vyof 4567", "hardware id" "6993f191bca2346c4015be4ff158805da70f10cd7d82aedd11dd38c2b47025a2", "validity period" null, "license signature" "vakfjwgvqdl00ykjys/1ocz 3htzwft8tq=", }; const signingstring = `${ licenseresponse hardware id }#${ licenseresponse username ? licenseresponse username split('|')\[0] licenseresponse license key }#${ licenseresponse validity period ? dayjs(licenseresponse validity period) toisostring() '' }` tolowercase(); const verifier = crypto createverify('rsa sha256'); verifier update(signingstring); const result = verifier verify(publickey, licenseresponse license signature, 'base64'); console log(result); // if signature is valid, this will be "true"