Skip to content

Integrating Client Software

Your software (a desktop app, WordPress plugin, Flutter app, CLI…) is the client. It enforces licensing by calling the WPLM REST API, and can verify signed licenses offline using the bundled public key.

  1. Activate — on first run, the user enters a key; the client computes a device fingerprint and calls POST /wplm/v1/activate.
  2. Validate — periodically (e.g. on launch), call POST /wplm/v1/validate to confirm the license is still good.
  3. Heartbeat — for floating licenses, call POST /wplm/v1/heartbeat on an interval to keep the lease alive.
  4. Deactivate — on uninstall/sign-out, call POST /wplm/v1/deactivate to free the seat.
Terminal window
# Activate this device
curl -X POST https://vendor.com/wp-json/wplm/v1/activate \
-H "Content-Type: application/json" \
-d '{ "license_key": "ABCD-EFGH-IJKL-MNOP", "fingerprint": "sha256-of-machine-id" }'

Compute a stable per-device fingerprint from platform-appropriate sources (machine GUID, hardware ids). Send it raw or pre-hashed — the server re-hashes it with HMAC-SHA256 before storage either way. For cloud nodes that share hardware, use a random per-install UUID instead.

/validate returns a payload signed with Ed25519. Fetch the public key once from GET /wplm/v1/public-key, bundle it in your client, and verify the signature locally — no network needed:

signedKey = base64url(payload) . "." . base64url(signature)
verify(signature, payload, WPLM_PUBLIC_KEY) // sodium_crypto_sign_verify_detached

This lets your app keep working from a cached, signed payload when the network is down, within a configurable cache-TTL / max-clock-drift window. Reject payloads whose signed timestamp drifts beyond your allowed window (replay protection).

Cache the signed revocation list from GET /wplm/v1/crl. Even offline, refuse any cached-valid license whose key hash (or device fingerprint) appears on the CRL — so a leaked key is killed within your refresh window.

Clients embed only the public key, the product id, and the server URL. The Ed25519 private key and any API consumer secrets never ship in client software — only management/back-office tools use API keys.

Map the API error codes to typed errors in your SDK: NotFound, Expired, Suspended, Revoked, LimitExceeded, Blacklisted, NetworkError, SignatureInvalid.