Licenses are used to verify a user’s access to a product to ensure that the product isn’t leaked/cracked. Licenses are generally used for Minecraft Plugins or Discord Bots, but can be implemented with any application.
When your application starts, it’ll send a request verifying the inputted license key (usually in a config file). The server will validate the key and respond with whether it’s valid or not, at which point the app can start/stop based on the received response.
Licenses can be configured with a maximum amount of allowed IP addresses. To decrease this amount, you’ll need to make a support ticket in Candor Studios, but it can be increased on the dashboard.
<aside> 🛑
To use a license system in an order, you must discuss it with the client beforehand (before they pay) and gain their approval. If they do not approve and they haven’t paid yet, you may either chose to ask the OM to remove you from the order, or to not include the license system. If they have paid and they don’t agree, you will be required to not include the license system.
</aside>
<aside> ✅
POST /products/:id/verify-license
Verifies the inputted license key. Responses from this endpoint are signed to ensure that they aren’t tampered with during transit and to verify the security of your application.
Request body:
| Name | Type | Description |
|---|---|---|
license |
String | The license key to verify |
Response body:
| Name | Type | Description |
|---|---|---|
license |
String | The license key |
timestamp |
Long | The timestamp used for the signature |
valid |
Boolean | Whether the license key is valid or not |
signature |
String | RSA signed hash of the response data with Candor’s private key (see below) |
product |
String | ID of the product |
In some cases, you won’t receive such a detailed response. This may occur if you don’t get far enough in validation (the product doesn’t exist, you didn’t include the key field, etc). You may receive something like the following:
| Name | Type | Description |
|---|---|---|
message |
String | The reason the request failed |
| </aside> |
To ensure that requests aren’t messed with during transit, all responses from Candor Hub are signed. This signature is then verified by the client to ensure that request is in fact valid.
Requests use RSA with the data being hashed by SHA256withRSA and then signed with Candor’s private key. The response from the server should be formatted like the following (in EXACTLY this order) before being hashed:
license={license key here}&valid={valid boolean here}×tamp={timestamp here}&product={product id here}
Example:
license=LIC-123456&valid=true×tamp=1700000000&product=procduct-123
Then, you should verify the signature using Candor Studios’ public key (this is Base64 encoded, so you’ll need to decode it first):
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA80AWjlgESmTlrqOfG7Rtyd30+IHryCkDf+phuFQuDI2AhEa1DnJ9xsz4gPYNOWzLxDz6cBBlpZ+4KgzyO/uKDJDjPgp4TTrTncdEuLgXr5zCKpuXU29pABncZrnZYxvFohB2BYRaWD+BGvSCCZfihcFcUZ67Kwy0rWeEFhew8w8uWc8Vg3nYtY6TYD09jK7eUD2dckcybzGbgypFsV5fZ4kScqelBBD9xqv3oWc8/wJJffPAdQeRrkQTaQMKM95bHOgpSckrRS5xc/NLlQ+DFPyXqZ4guvnkgS8UgKK4/7GGVQ4AdC11Z8y6hx5++1owBXAbsViCcQBY35g9hQyB9QIDAQAB
Only once that has been validated should you trust the response. If validation fails, discard the response and try again.