Response Signature

7min
Overview
Response objects from License API endpoints for activating and checking licenses contain a license_signature value, which is an HMAC-SHA256 signature used to verify the authenticity of the response. This mechanism ensures protection against counterfeit licensing servers and man-in-the-middle attacks.
License Signature Details
When a webhook response is received, it includes a license_signature. This signature is a secure hash generated using a server-side private key and is based on a specific format of the signing string.
Signing String Format
The string to be signed is constructed as follows:
LOWERCASE(HARDWARE_ID#USER_EMAIL_OR_LICENSE_KEY#VALIDITY_PERIOD)
Example Activation Request and Response
{
   "hardware_id": "A53F-0CBC-15FC-7E81-BF35-A720-A575-7C0C-8815-0463-DB78-E674-D140-CF15-85BB-EC01",
   "license_key": "FUH3-4E7A-LZJL-7JTP",
   "product": "TP"
}
{
   "license_signature": "60c22a575a67f5b2a1e9ff3fe204363046f1e5d097b8ebb468d903d0aaf739ac...",
   "validity_period": "2019-06-15T00:00:00.000Z",
   "license_type": "subscription",
   ...
}
Constructed Signing String
Based on the above request and response:
a53f-0cbc-15fc-7e81-bf35-a720-a575-7c0c-8815-0463-db78-e674-d140-cf15-85bb-ec01#fuh3-4e7a-lzjl-7jtp#2019-06-15t00:00:00.000z
Verifying the License Signature
You can use the server's public key to verify the license_signature. By validating the signature, you ensure the response originates from LicenseSpring's trusted servers.
Download the server public key from the link below to implement signature verification using the example provided:
prod.pub
﻿
Code Sample
JS
import crypto from 'node:crypto'
import dayjs from 'dayjs'
import utc from 'dayjs/plugin/utc.js'

dayjs.extend(utc)

const response = {
  // ... truncated license response ...
  "license_key": "163U-AKLB-5BNJ-VYOF-4567",
  "hardware_id": "6993f191bca2346c4015be4ff158805da70f10cd7d82aedd11dd38c2b47025a2",
  "validity_period": null,
  "license_signature": "VAkfjWGvQDl00YkjYS/1oCz........3HtzwFt8tQ=",
};

const signingString = `${
  licenseResponse.hardware_id
}#${
  licenseResponse.username
    ? licenseResponse.username.split('|')[0]
    : licenseResponse.license_key
}#${
  licenseResponse.validity_period ? dayjs(licenseResponse.validity_period).toISOString() : ''
}`.toLowerCase();

const verifier = crypto.createVerify('RSA-SHA256');
verifier.update(signingString);
const result = verifier.verify(publicKey, licenseResponse.license_signature, 'base64');

console.log(result); // if signature is valid, this will be "true"

import crypto from 'node:crypto'
import dayjs from 'dayjs'
import utc from 'dayjs/plugin/utc.js'

dayjs.extend(utc)

const response = {
  // ... truncated license response ...
  "license_key": "163U-AKLB-5BNJ-VYOF-4567",
  "hardware_id": "6993f191bca2346c4015be4ff158805da70f10cd7d82aedd11dd38c2b47025a2",
  "validity_period": null,
  "license_signature": "VAkfjWGvQDl00YkjYS/1oCz........3HtzwFt8tQ=",
};

const signingString = `${
  licenseResponse.hardware_id
}#${
  licenseResponse.username
    ? licenseResponse.username.split('|')[0]
    : licenseResponse.license_key
}#${
  licenseResponse.validity_period ? dayjs(licenseResponse.validity_period).toISOString() : ''
}`.toLowerCase();

const verifier = crypto.createVerify('RSA-SHA256');
verifier.update(signingString);
const result = verifier.verify(publicKey, licenseResponse.license_signature, 'base64');

console.log(result); // if signature is valid, this will be "true"
﻿
﻿
Updated 16 Jan 2025
Did this page help you?
Request Signature
Response Signature v2