1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

License Validation API

Discussion in 'Resource and Add-on Discussions' started by Mike, Apr 11, 2013.

  1. Mike

    Mike XenForo Developer Staff Member

    As many add-on developers (and people looking at buying second hand licenses) have requested a way to validate a license, here you go:

    http://xenforo.com/api/

    A customer can generate a token via the customer area for each license. You can then use that token to validate information about the license. You can also confirm if it's attached to a particular domain if you know what to lookup (without us actually giving you the full URL that it's attached to).

    It can be accessed via JSON as well as the web interface. Note that there are limits to the number of times it can be hit per day.

    All the details are discussed on that page.

    (The link to that page is on the footer of every page, BTW.)
     
  2. Chris D

    Chris D XenForo Developer Staff Member

    Truly awesome. Well done.
     
    Lisa likes this.
  3. Lisa

    Lisa Well-Known Member

    Nicely done. A method that should please everyone, I think.
     
  4. MattW

    MattW Well-Known Member

    Fantastic Mike (y)
     
  5. HWS

    HWS Well-Known Member

    Fantastic!

    One question: How are domains matched?

    If a license has "domain.com", will "www.domain.com" match? And "subdomain.domain.com" too?
     
  6. Mike

    Mike XenForo Developer Staff Member

    www. is stripped out, but otherwise it expects the host to match.
     
    HWS likes this.
  7. Brogan

    Brogan XenForo Moderator Staff Member

    A license can only be linked to one domain in the customer area - that is the one which should be given out.
     
  8. Slavik

    Slavik XenForo Moderator Staff Member

    To answer a PC about this, simply entering a domain name to check for a valid license will generate an error. This is intended. You need the token to match the domain to get a result.
     
  9. James Freeman

    James Freeman Member

    Are you guys going to integrate this into the installation system to check if people have a valid licence?
     
  10. RobParker

    RobParker Well-Known Member

    Is there any reason the validation token should be kept private/non-public? If for example, people wanted to include them in their sig or profile page would that cause an issue?
     
    Adam Howard likes this.
  11. Lisa

    Lisa Well-Known Member

    It could give people the opportunity to take your token and offer it as their own - giving a false positive.
     
  12. MattW

    MattW Well-Known Member

    But they still need to enter the URL of the site associated with the token.
     
    Adam Howard likes this.
  13. RobParker

    RobParker Well-Known Member

    Yes but you need to give it out to whoever you want to prove that you have a license to, right? Does this only work if you trust the addon developers to keep them secure/private?
     
  14. Brogan

    Brogan XenForo Moderator Staff Member

    No they don't.

    A simple token check can be made without the associated domain.
     
    Brandon Sheley likes this.
  15. Shelley

    Shelley Well-Known Member

    Amazing stuff, excellent work Mike.
     
  16. Brogan

    Brogan XenForo Moderator Staff Member

    You can give it out and then generate a new one after each check, rendering the previous one invalid.
     
    RobParker likes this.
  17. Lisa

    Lisa Well-Known Member

    Have you tried it? You only need the token to validate someone has a licence and it's transferrable... having the domain url is just a secondary check.
     
  18. Brogan

    Brogan XenForo Moderator Staff Member

    Put it this way, if anyone here displays their current token, it wouldn't be hard to work out which domain it is linked to, making it worthless.

    So unless you want others to be able to use your token to gain false validation, the best advice is to only give it out when asked and generate a new one each time.
     
  19. RobParker

    RobParker Well-Known Member

    Wouldn't making it a one-time thing by default be much more secure? Or at least advising on the page that you recommend regenerating it after it's been used?
     
  20. RobParker

    RobParker Well-Known Member

    That should be on the page :)
     

Share This Page