Getting a validation token
You can generate a validation token from the customer area. Each license will have a "validation token" link under it.
Clicking that link will generate a token if you don't have one for that license or display the current token if one has been generated.
If you wish to change your token, it can be regenerated from there. Note that your previous tokens will immediately fail to validate.
In general, it is recommended that you provide your validation token to trusted parties only. After giving out a token and having it be verified, you may wish to regenerate your token. However, if you do this, it will break any ongoing checks that third-parties may do; you will need to balance these needs.
Using the license validation API
- When requesting a validation token from a customer, you must explain how the token will be used. You may only use the token in this manner. You will not disclose a validation token to a third party (other than XenForo Ltd.).
- Each IP can only make 1000 API requests per 24 hours. The request period restarts a midnight GMT. If you need more requests than this, contact us to discuss your requirements.
If you are going to make use of license validation tokens, here are some best practices:
- Ask for the domain that is associated with a token. This provides an extra step of validation and helps confirm ownership.
- If confirming ownership of a domain is important, you may wish to have the user upload a file to their domain with a particular name or content. Google Webmaster Tools uses this technique.
- Accept a license_token or customer_token only once, as necessary.
- Optionally consider storing the validation_token and periodically checking that it is still valid (and has the values that you require). Note that token regeneration will break this so you must handle this situation gracefully.
Using the license validation API programmatically
While we provide the API via a human readable web interface, it can also be queried programmatically via JSON.
POST requests to
https://xenforo.com/customer-api/license-lookup.json with the following parameters:
token- the license validation token to look up
domain- checks whether the license is attached to this domain (optional)
A request for a valid token will return a JSON object with the following keys/values:
validation_token- (string) the token that was looked up
customer_token- (string) a string that will uniquely identify the customer this license is associated with
license_token- (string) this will uniquely represent the license in question. It will not change when the token is regenerated.
is_valid- (boolean) this will be true unless the license is no longer legitimate. Licenses with expired support are still valid.
can_transfer- (boolean) true if the license can be transferred
domain_match- (boolean or null) if a domain was provided, this will be true/false based on whether it matched the license. If no domain was provided, this will be null
domain- (string or null) if a domain was provided, the domain that we tested. This may be changed from original domain supplied in the request.
A request for an invalid token will return a
404 HTTP response. If you have made too many requests, a
503 HTTP response will be returned.