• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

License Validation API

Mike

XenForo developer
Staff member
#1
As many add-on developers (and people looking at buying second hand licenses) have requested a way to validate a license, here you go:

http://xenforo.com/api/

A customer can generate a token via the customer area for each license. You can then use that token to validate information about the license. You can also confirm if it's attached to a particular domain if you know what to lookup (without us actually giving you the full URL that it's attached to).

It can be accessed via JSON as well as the web interface. Note that there are limits to the number of times it can be hit per day.

All the details are discussed on that page.

(The link to that page is on the footer of every page, BTW.)
 

HWS

Well-known member
#5
As many add-on developers (and people looking at buying second hand licenses) have requested a way to validate a license, here you go:

http://xenforo.com/api/

A customer can generate a token via the customer area for each license. You can then use that token to validate information about the license. You can also confirm if it's attached to a particular domain if you know what to lookup (without us actually giving you the full URL that it's attached to).

It can be accessed via JSON as well as the web interface. Note that there are limits to the number of times it can be hit per day.

All the details are discussed on that page.

(The link to that page is on the footer of every page, BTW.)
Fantastic!

One question: How are domains matched?

If a license has "domain.com", will "www.domain.com" match? And "subdomain.domain.com" too?
 

Brogan

XenForo moderator
Staff member
#7
A license can only be linked to one domain in the customer area - that is the one which should be given out.
 

Slavik

XenForo moderator
Staff member
#8
To answer a PC about this, simply entering a domain name to check for a valid license will generate an error. This is intended. You need the token to match the domain to get a result.
 

RobParker

Well-known member
#10
Is there any reason the validation token should be kept private/non-public? If for example, people wanted to include them in their sig or profile page would that cause an issue?
 

Lisa

Well-known member
#11
Is there any reason the validation token should be kept private/non-public? If for example, people wanted to include them in their sig or profile page would that cause an issue?
It could give people the opportunity to take your token and offer it as their own - giving a false positive.
 

RobParker

Well-known member
#13
It could give people the opportunity to take your token and offer it as their own - giving a false positive.
Yes but you need to give it out to whoever you want to prove that you have a license to, right? Does this only work if you trust the addon developers to keep them secure/private?
 

Brogan

XenForo moderator
Staff member
#16
Yes but you need to give it out to whoever you want to prove that you have a license to, right? Does this only work if you trust the addon developers to keep them secure/private?
You can give it out and then generate a new one after each check, rendering the previous one invalid.
 

Lisa

Well-known member
#17
But they still need to enter the URL of the site associated with the token.
Have you tried it? You only need the token to validate someone has a licence and it's transferrable... having the domain url is just a secondary check.
 

Brogan

XenForo moderator
Staff member
#18
Put it this way, if anyone here displays their current token, it wouldn't be hard to work out which domain it is linked to, making it worthless.

So unless you want others to be able to use your token to gain false validation, the best advice is to only give it out when asked and generate a new one each time.
 

RobParker

Well-known member
#19
You can give it out and then generate a new one after each check, rendering the previous one invalid.
Wouldn't making it a one-time thing by default be much more secure? Or at least advising on the page that you recommend regenerating it after it's been used?