website logo
⌘K
Getting Started
Introduction
Basic Concepts
Opening an Account
Creating & Configuring Products
Integrating SDK and Configuring License Fulfillment
Activate a Key-Based License
Vendor Platform
Issuing New Licenses
License Detail View
Order Detail View
Customer Detail View
Metadata
Analytics
Settings
Product Configuration
Product Features
Product Custom Fields
Product Versioning
License Policies
Product Bundles
License Entitlements
License Types
Activations & Device Transfers
Features
Custom Fields
License Start Date
License Note
Maintenance Period
Trial Licenses
Floating Licenses
License Activation Types
Portals
End-User Portal
Offline Portal
Air-Gapped Portal
License API
License API Authorization
License Activation/Deactivation
License Check
Consumption
Floating
Trial Key
Product Details
Device Variables
Changing Password
Management API
Making API Requests
Management API Authorization
Customer
Product
Order
License
Device
Analytics
SDKs
Tutorials
.NET/C# SDK
.NET/C# Management SDK
C++ SDK
Java SDK
Python SDK
Go SDK
Delphi SDK
Swift/Objective-C SDK
Android SDK
Unity SDK
Errors and Response Codes
Floating Server
API Reference
Deployment
Configuration
Floating Server UI
Securing the Server
Whitelabeling
FAQ
Floating Server Changelog
Integrations
Salesforce
FastSpring
Stripe
Shopify
Common Scenarios
Single Sign On (SSO)
Glossary
General
SDK Glossary
Vendor Platform
Product Configuration Glossary
License Configuration
Postman Collections
Frequently Asked Questions
Changelog
License API changelog
Platform changelog
Docs powered by
Archbee
License API
License API Authorization

Signature Verification

4min

Webhooks for activating/checking license also return a license_signature, which is a HMAC-SHA256 signature of each license, allowing end-software to verify that the response really came from LicenseSpring servers, serving as a protection against fake licensing servers and/or man-in-the-middle attacks.

String which is signed using the server certificate is formed like follows

LOWERCASE(HARDWARE_ID#USER_EMAIL_OR_LICENSE_KEY#VALIDITY_PERIOD)

For example, for activation request:

{ hardware_id : 'A53F-0CBC-15FC-7E81-BF35-A720-A575-7C0C-8815-0463-DB78-E674-D140-CF15-85BB-EC01', license_key : 'FUH3-4E7A-LZJL-7JTP', product: 'TP' }

you get a response like (shortened):

{ "license_signature": "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739aceca4310f78489cdfd447d7c7b044dfd0b95dc41691bc6ab93aa5e7aa3bc59dd8eb425aa0b04095cef3e0265fbe8a3ab053724b1f3d03b77b8099063b1a4f1d5eb6d6e25d6f65d4b5eab14069db95f95f905074e261b02739f746f33aa7334e4491d632bf9252f41fb239ad4780a8fe0405bba7de11ecc7c7b8542c2fd90afe9e80d939d0fefd6da217c1c866e00a9dfdba5830ccd1cb04be0b88a7ec698a4c4d139a26c5ea99d91b8b70bdc1189d55dd1dc6e7ad190aa483f7b33486089d12368c14bc68d4909bff525efb1608521cdb70539ad0de07b7ec33c9e0860551fe5c0c0013664ab5ad9f3891c82a58947204e746485b692b0dcc3fea706cea4bc147774708801a1fc00d0c207c6225f4012b6cd3d1012d25f5174ee02757ce38f537b36b8ec2a53923d810deefd9a3f0201d57ed656dc13a885a987378b7260a5ae7c60140cad27a88635970b6468f41d47acdd15f1655e26e836395ab5ee66e3cf86b2e01a066ac7d1b89f0d3f768ad6e48d8fb44c72555350eb6ecdb29e203c43259b6a4964ad1e2d882c4a050fc36617411556920a886a48c488410c383a4169c1729f70e2f0ee42254efcd91d22d482e153545316a9f93da0147332df69409fbedfa0ae24671a0f33d8256d96927b3371fa5624b8e5e267d3689e41f510e04b4", "validity_period": "2019-06-15T00:00:00.000Z", "license_type": "subscription", ... }

Signing string looks like this

a53f-0cbc-15fc-7e81-bf35-a720-a575-7c0c-8815-0463-db78-e674-d140-cf15-85bb-ec01#fuh3-4e7a-lzjl-7jtp#2019-06-15t00:00:00.000z

You can download the server public key below and use it to verify license signature based on example above

prod.pub




Updated 05 Sep 2023
Did this page help you?
PREVIOUS
Signature
NEXT
License Activation/Deactivation
Docs powered by
Archbee
Docs powered by
Archbee