License Validation API

Mike

XenForo developer
Staff member
As many add-on developers (and people looking at buying second hand licenses) have requested a way to validate a license, here you go:

http://xenforo.com/api/

A customer can generate a token via the customer area for each license. You can then use that token to validate information about the license. You can also confirm if it's attached to a particular domain if you know what to lookup (without us actually giving you the full URL that it's attached to).

It can be accessed via JSON as well as the web interface. Note that there are limits to the number of times it can be hit per day.

All the details are discussed on that page.

(The link to that page is on the footer of every page, BTW.)
 
As many add-on developers (and people looking at buying second hand licenses) have requested a way to validate a license, here you go:

http://xenforo.com/api/

A customer can generate a token via the customer area for each license. You can then use that token to validate information about the license. You can also confirm if it's attached to a particular domain if you know what to lookup (without us actually giving you the full URL that it's attached to).

It can be accessed via JSON as well as the web interface. Note that there are limits to the number of times it can be hit per day.

All the details are discussed on that page.

(The link to that page is on the footer of every page, BTW.)

Fantastic!

One question: How are domains matched?

If a license has "domain.com", will "www.domain.com" match? And "subdomain.domain.com" too?
 
A license can only be linked to one domain in the customer area - that is the one which should be given out.
 
To answer a PC about this, simply entering a domain name to check for a valid license will generate an error. This is intended. You need the token to match the domain to get a result.
 
Is there any reason the validation token should be kept private/non-public? If for example, people wanted to include them in their sig or profile page would that cause an issue?
 
Is there any reason the validation token should be kept private/non-public? If for example, people wanted to include them in their sig or profile page would that cause an issue?
It could give people the opportunity to take your token and offer it as their own - giving a false positive.
 
It could give people the opportunity to take your token and offer it as their own - giving a false positive.

Yes but you need to give it out to whoever you want to prove that you have a license to, right? Does this only work if you trust the addon developers to keep them secure/private?
 
Yes but you need to give it out to whoever you want to prove that you have a license to, right? Does this only work if you trust the addon developers to keep them secure/private?
You can give it out and then generate a new one after each check, rendering the previous one invalid.
 
But they still need to enter the URL of the site associated with the token.
Have you tried it? You only need the token to validate someone has a licence and it's transferrable... having the domain url is just a secondary check.
 
Put it this way, if anyone here displays their current token, it wouldn't be hard to work out which domain it is linked to, making it worthless.

So unless you want others to be able to use your token to gain false validation, the best advice is to only give it out when asked and generate a new one each time.
 
You can give it out and then generate a new one after each check, rendering the previous one invalid.

Wouldn't making it a one-time thing by default be much more secure? Or at least advising on the page that you recommend regenerating it after it's been used?
 
Top Bottom